Microsoft  at  LinuxWorld? 

It's  true.  And  the  company  will  have  plenty  of  com¬ 
pany  as  Novell,  HP  and  others  make  news  at  the 
open  source  gathering  this  week.  PAGE  9. 


Crash  the  'Net? 

How  tough  would  it  be?  . . .  And  why  hasn’t  any¬ 
one  done  it?  Columnists  Mark  Gibbs  and  Paul 
McNamara  disagree  on  the  answers.  PAGE  50. 


A  closer  look  at  Vista 

Testing  of  Microsoft’s  newest  operating 
system  shows  better  file  sharing;  new 
security  measures.  PAGE  10. 
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Outsourcing.  Automation.  Downsizing. 
The  industry  has  been  awash  in 
unemploye  IT  pros.  But  experts 
now  predict  an  IT  staffing  crunch 
is  just  around  the  corner,  and 
the  implications  for  U.S, 
technology  innovation 
are  sobering. 


Company  says  testing 
may  reveal  wider  impact. 

BY  ELLEN  MESSMER  AND  PHIL  HOCHMUTH 

Heavy  fallout  continues  on  several  fronts  from  a 
security  researcher’s  recent  disclosure  that  un¬ 
patched  Cisco  routers  can  be  subverted  by  buffer- 
overflow  attacks  and  shell-code  exploits. 

Among  the  developments  last  week:  Cisco  contin¬ 
ually  revised  its  security  bulletin,  adding  details  as  to 
how  versions  of  unpatched  IOS  software  could  be 
undermined  by  a  “specifically  crafted  IPv6  packet.” 
Sources  at  Cisco  say  testing  will  continue  indefi¬ 


nitely  and  could  include  findings  related  to  more 
than  simply  !Pv6-related  exploits. 

The  researcher  who  touched  off  the 
uproar,  Michael  Lynn,  says  he  is  now 
the  subject  of  inquiries  by  FBI  agents, 
and  he  continues  to  defend  the  pro¬ 
priety  of  his  actions. 

The  episode  rekindled  debate  about 
“responsible  disclosure,”  the  notion  that  information 
about  major  security  problems  should  be  made  pub¬ 
lic  in  a  way  that  brings  minimal  risk  to  customers. 

According  to  Lynn  and  other  experts,  what  Lynn 
described  and  demonstrated  at  the  Black  Hat 

See  Cisco,  page  12 
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New  York  courts  find  security  in  IP  video 


BY  PHIL  HOCHMUTH 

NEW  YORK  —  You’ve  heard  of 
the  long  arm  of  the  law:  In  New 
York,  eyesight  and  memory 
stretch  pretty  far,  too. 

The  New  York  State  Unified 
Court  System  recently  put  the  fin¬ 
ishing  touches  on  a  network  of 
more  than  350  IP  video  surveil¬ 


lance  cameras.  These  network- 
attached  eyeballs  record  every 
minute  of  every  day  in  all  New 
York  court  facilities  statewide  and 
link  to  a  multi-terabyte  storage  sys¬ 
tem,  giving  court  security  officials 
a  powerful  tool  to  monitor  and 
protect  their  facilities. 

But  for  the  court’s  IT  group,  high- 


bandwidth  video  is  just  another 
stream  on  an  IP  network  built  sev¬ 
eral  years  ago  with  enormous 
capacity  now  tapped  to  deploy  a 
variety  of  advanced  services.  Also 
supported  is  a  10,000-seat  IP  tele¬ 
phony  network  and  more  than 
100  IP  videoconferencing  units. 
Overall,  these  systems  save  the 
courts  about  $1  million  per  year 
on  various  voice  and  video  costs, 
and  allow  for  advanced  services 
such  as  comprehensive  video  sur¬ 
veillance,  which  were  once  cost- 
prohibitive. 

The  courts  last  year  rolled  out  a 
limited  IP  video  surveillance  sys¬ 
tem,  based  on  open  source  soft¬ 
ware  written  in-house.  This  pilot 

See  Courts,  page  48 


- m  WiderNet 

Mooching  Wi-Fi 


BY  JOHN  cox 

If  you  connect  to 
someone  else’s 
open  Wi-Fi  router 
and  start  using  that 
broadband  Internet 
service  you  are: 

a)  guilty  of  steal¬ 
ing  from  the  service 
provider;  b)  commit¬ 
ting  an  unethical  act;  c) 
really  cheap;  d)  not  guilty;  or  e)  all  of  the  above. 

The  correct  answer  is  wide  open  to  debate.  But  the  range  of 
possible  answers  —  and  there  are  plenty  more  we  could  list  — 

See  Mooching,  page  49 
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the  legality ...  not  to 
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Proventia  ESP  (Enterprise  Security  Platform)  from  ISS  stops  Internet  threats  before  they  impact  your  network.  With  intrusion  prevention  and  vulnerability  assessment  products 
and  services,  Proventia  ESP  gives  you  centralized  control  and  enables  network  uptime.  Only  ISS  keeps  you  ahead  of  the  threat  with  preemptive  protection  to  suit  your  needs. 
Download  a  free  white  paper  at  www.iss.net/ESP/network,  or  call  1-800-776-2362. 
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Wider  Net  archive. 

DocFinder:  8245 

IT  Borderlands 

IT  pro  Ken  Fasimpaur  tackles  the 
tough  issue  of  whether  to  check 
work  e-mail  while  on  vacation:  "More 
than  any  other  reason.  I  check  it  to 
ease  the  uncertain  number  of  nebu¬ 
lous  problems  that  I’ll  have  to  deal 
with  when  I  return,  along  with  their 
cumulative  mental  impact." 
DocFinder:  8340 


Online  help  and  advice 

Nutter's  Help  Desk 
Help  Desk  guru  Ron  Nutter  answers 
a  VLAN  configuration  question  for  a 
user  studying  for  his  GCNA. 

DocFinder:  8341 

Small  Business  Tech 

Eliminate  static  passwords 
Columnist  James  Gaskin  says 
CryptoCard  offers  guaranteed  two- 

Seminars  and  events 

VoIP:  Capitalizing  on  Convergence 

A  Technology  Tour  and  Expo  packed  with  real-word  data  and  case  studies 
from  leading  companies  and  front-line  colleagues  who've  successfully 
deployed  converged  infrastructures.  The  average  savings  of  these  early 
adopters:  8500,000.  Want  in?  Qualify,  and  you  can  attend  free. 

DocFinder:  8344 


factor  authentication  security. 

DocFinder:  8342 

Home  LAN  Adventures 

Is  it  time  to  jump  to  a  Gigabit  home 
LAN? 

Keith  Shaw  wonders:  Is  the  time 
right  for  Gigabit  speeds  on  the 
home  LAN,  or  is  it  overkill? 

DocFinder:  8343 


BREAKING  NEWS 

Go  online  for  breaking  news  every  day.  DocFinder  1001 

Free  e-mai;  newsletters 

Sign  up  for  any  of  more  than  40  newsletters  on  key  network  topics. 

DocFinder  1002 

What  is  DocFinder? 

We’ve  made  it  easy  to  access  articles  and  resources 
online.  Simply  enter  the  four-digit  DocFinder  number  in 
the  search  box  on  the  home  page,  and  you’ll  jump  directly 
to  the  requested  Information. 


6  •  www.networkwopld.com  •  8.8.05 


Virus  writer  sets  upon  Microsoft  Vista 

B  A  week  after  Microsoft  released  the  first  beta  of  its  Longhorn  client  operating 
system,  now  called  Vista,  an  Austrian  virus  writer  has  published  five  viruses  that  tar¬ 
get  Microsoft’s  new  command  shell  technology  called  MHS  (previously  code- 
named  Monad).  Microsoft  had  planned  to  ship  MHS  with  Vista,  but  recent  rum¬ 
blings  among  Microsoft  watchers  say  that  might  not  happen.  Microsoft  has  not 
made  an  official  announcement  on  the  availability  of  MHS.  However,  last  week 
security  vendor  F-Secure  said  the  viruses  were  the  first  “Vista  viruses”  discov¬ 
ered.  Last  year,  researchers  from  Symantec  concluded  that  the  current  version 
of  the  Microsoft  Shell  had  enough  functionality  to  allow  a  variety  of  malicious 
threats  including  file-infecting  viruses.  (See  our  test  of  Vista  on  page  10.) 


Propping  for  Patch  Tuesday 

■  Microsoft  plans  to  release  six  software  patches  this 
week  covering  Windows  flaws.  The  company  also 
plans  to  release  an  updated  version  of  its  Microsoft 
Windows  Malicious  Software  Removal  Tool,  and  a  non¬ 
security  update  for  Windows.  The  patches,  which 
Microsoft  calls  “updates,”  will  come  as  part  of  the  com¬ 
pany’s  regular  monthly  patch  release  cycle.  Microsoft 
releases  most  software  patches  on  the  second  Tuesday 
of  each  month,  a  date  that  has  come  to  be  known  as 
“Patch  Tuesday”  by  security  professionals.  The  compa¬ 
ny  did  not  release  details  about  the  patches,  except  to 
say  that  some  of  them  will  be  rated  “critical,”  meaning 
that  flaws  could  allow  malicious  code  to  be  installed 
on  an  affected  computer  without  user  action. 

MCI  becomes  a  buyer 

■  The  fact  that  MCI  is  in  the  middle  of  being  acquired 
by  Verizon  hasn’t  stopped  the  company  from  looking 
to  do  buyouts  of  its  own.  MCI  last  week  announced  it 
is  acquiring  Totality  a  privately  held  service  provider 
in  San  Francisco  that  offers  remote  application  and 
infrastructure  management.  Totality’s  service  lets 
users  keep  their  application  servers  and  network 
infrastructure  in  their  own  data  centers  while  the  firm 
manages  these  systems  remotely  Financial  details 
about  the  deal  were  not  disclosed.  American  Airlines 
and  Sony  are  among  Totality’s  customers. 


quote  of  t  ie  wee 

uote  o;tie  wee 

uote  of  the  weef 


“We’re  like  the  frog  sitting  in 
the  slowly  boiling  pot.  It  is  hap¬ 
pening  so  slowly  no  one 
notices,  but  pretty  soon  we’re 
going  to  be  dinner.” 

Harris  Miller,  president  of  the  ITAA, 
discussing  a  future  IT  staffing  shortage. 

See  story,  page  36. 

A  good  battery,  and  good  for  you 

■  Researchers  at  NEC  have  developed  a  recharge¬ 
able  battery  that  is  based  on  organic  compounds 
and  could  be  useful  in  a  wide  range  of  IT-related 
applications,  the  researchers  said  last  week.The 
organic  radical  battery  is  based  on  a  cell  structure 
similar  to  that  of  a  lithium  ion  battery  the  type  com¬ 
monly  found  in  devices  such  as  notebook  comput¬ 
ers  and  cell  phones.  However,  there  is  one  signifi¬ 
cant  difference:  instead  of  using  poisonous  ingredi¬ 
ents  such  as  lithium  and  cobalt  it  uses  an  organic 
compound  called  PTMA.The  change  not  only 
makes  the  battery  more  environmentally  friendly 


TheGooc^BeBcMTheUgly 

Microsoft:  If  you  can't  beat  hackers. . . 

Microsoft  is  working  on  plans  to  make  a  recent  hacker  meeting  held  on 
its  Redmond,  Wash.,  campus  a  semi-annual  event,  with  the  next  Blue 
Hat  security  gathering  to  be  held  sometime  this  fall.  In  sessions  at  the 
initial  event,  security  researchers  demonstrated  how  flaws  in  Windows 
products  could  be  exploited.  "As  we  continue  to  engage  with  security 
researchers,  we've  become  more  comfortable  getting  into  these  face- 
to-face  interactions  with  them,"  says  Stephen  Toulouse,  a  program 
manager  in  Microsoft's  security  unit. 

Down  on  the  farm.  Computer  usage,  ownership  and 
Internet  access  on  farms  are  leveling  off,  according  to  a  new 
Department  of  Agriculture  study.  A  total  of  58%  of  U.S.  farms 
now  have  access  to  a  computer  and  51%  have  Internet  access. 

<  Phishers  have  it  too  easy,  u  s  banks 

are  putting  customer  convenience  ahead  of  security  and,  in 
the  process,  making  it  easier  for  online  phishers  to  create 
counterfeit  bank  cards,  according  to  a  new  Gartner  report, 
With  the  Internet  now  a  common  source  of  stolen  account 
information,  phishers  are  accounting  for  a  growing  portion  of 
the  estimated  S2.75  billion  in  annual  losses  that  card  abuse  is 
costing  U.S.  banks,  the  research  firm  says. 


but  also  delivers  some  properties  that  could  make  it 
better  suited  to  certain  applications  than  existing 
batteries,  the  researchers  say  Chief  among  these  is  a 
high-power  density  that  could  be  useful,  for  exam¬ 
ple,  in  providing  enough  power  to  allow  a  PC  to 
back  up  data  and  shut  down  properly  in  the  event 
of  a  main  power  failure. 

Sprint,  Nextel  deal  nears  finale 

■  The  $35  billion  merger  of  Sprint  and  Nextel  is 
virtually  a  done  deal  now  that  the  FCC  and  the 
Department  of  Justice  have  approved  the  transac¬ 
tion.  Both  government  organizations  last  week 
gave  their  blessing  to  the  union,  which  will  solidi¬ 
fy  Sprint’s  position  as  the  third-largest  wireless  ser¬ 
vice  provider  in  the  U.S.  Sprint/Nextel  will  serve 
about  45  million  customers,  which  is  behind  only 
Cingular  Wireless,  with  about  50  million  users,  and 
Verizon  Wireless,  with  45.5  million  subscribers. 
Sprint  says  it  will  announce  the  close  of  the  deal 
shortly. 


“You  put  a  Longhorn  in,  you 
pull  the  XP  out/You  put  a 
new  name  in  and  you  shake 
it  all  about/You  call  the 
darn  thing  Vista  and  you 
give  a  great  big  shout/But 
when  will  it  all  roll  out?” 


Curt  Maas'  Vista  Hokey  Pokey  took  home  the  top  slot  in  this  week's  contest 
Join  us  every  Monday  for  the  start  of  a  new  round. 
www.networkworld.com/weblogs/iayer8 


Cisco’s  vulnerable  side 

■  Cisco  last  week  said  it  is  resetting  passwords  for  all 
registered  users  of  its  Cisco.com  Web  site  after  dis¬ 
covering  a  vulnerability  in  its  search  engine  software 
that  left  user  passwords  exposed.  The  passwords  are 
used  by  Cisco  customers,  employees  and  partners 
who  have  registered  on  the  Web  site  to  get  access  to 
special  areas  of  the  site  or  to  receive  e-mail  alerts. 
Cisco  was  made  aware  of  the  problem  early  last  week 
and  corrected  it  immediately  a  spokesman  says.  As  a 
precaution,  the  company  has  been  sending  new 
passwords  to  all  registered  users. 
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Pack,  giving  you  an  automated  setup  process  to  configure  and  deploy  servers  at  a  high  volume 
and  a  rapid  pace.  Then  HP  Systems  Insight  Manager™  carefully  monitors  your  infrastructure, 
alerting  you  to  potential  problems  before  they  occur.  And,  whenever  you're  away  from  the  office, 
the  remote  management  features  let  you  manage  your  server  no  matter  where  you  are.  Plus,  you 
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and  affordable.  So  with  HP,  you  get  more  expertise  before  you  buy,  more  technology  when  you 
do  and  more  support  after. 
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Unclear  costs  dampen  IPv6  migration 


BY  CARA  GARRETSON 

The  dearth  of  information  re¬ 
garding  IPv6  migration  costs, 
combined  with  the  fact  that 
many  organizations  are  not  sold 
on  the  purported  benefits  offered 
by  the  latest  version  of  the 
Internet  Protocol,  is  making  the 


case  for  upgrading  difficult  to 
argue. 

However,  help  might  be  on  the 
way.  The  Department  of  Com¬ 
merce  plans  to  release  an  update 
to  a  2004  interim  report  on  IPv6 
migration  issues  that  will  give  the 
costs  a  hard  look.  While  designed 


EMC  refreshes 
Clariion  storage  line 

BY  DENI  CONNOR 

EMC  last  week  gave  its  midrange  Clariion  storage  line  a  face-lift,  with 
an  upgraded  operating  system  designed  to  improve  data  management 
and  availability  and  hardware  designed  to  boost  performance. 

Industry  watchers  point  to  EMC’s  new  Virtual  LUN  technology  as  per¬ 
haps  the  highlight  of  the  announcements.  This  addition  to  the  Flare 
operating  system  is  designed  to  help  customers  more  easily  shuffle  data 
from  disk  to  disk  within  an  array 
or  remove  an  array  without  stop¬ 
ping  applications  on  a  host  com¬ 
puter.  LUN,  or  logical  unit  net¬ 
works,  is  a  term  used  in  storage- 
area  networks  to  describe  the  con¬ 
nection  between  a  server  or  host 
computer  and  an  array 

“No  other  storage  vendor  is  offer¬ 
ing  it  in  a  midrange  system  right 
nowj’  says  Charles  King,  principal 
analyst  for  Pund-IT. 

Astolfo  Rueda,  network  adminis¬ 
trator  for  Seattle  law  firm  Preston, 

Gates  &  Ellis  LLRis  beta-testing  the 
technology. 

“Virtual  LUN  technology  allows 
you  to  move  data  without  impact¬ 
ing  the  host  computer  or  the  client,”  Rueda  says.  “It  allows  us  to  take 
advantage  of  all  the  servers  and  arrays  . .  .while  guaranteeing  the  con¬ 
sistent  state  of  an  Exchange  or  Informix  database.” 

UltraFbint  Technology  another  addition  to  the  operating  system, 
enables  customers  to  detect  and  diagnose  disk  problems.  It  also  auto¬ 
mates  the  process  of  shifting  selected  data  from  more  expensive  sys¬ 
tems  to  less  expensive  ones,  such  as  from  Fibre  Channel  to  Advanced 
Technology  Attachment  (ATA)  disks. 

Both  operating  system  improvements  are  backward  compatible  with 
older  arrays. 

On  the  hardware  side,  EMC  introduced  the  Clariion  CX30Os,  CX500-S 
and  CX700-S  arrays,  which  are  DC  powered  for  mobile  applications.The 
DC  power  helps  to  make  the  systems  compliant  with  standards 
required  for  use  in  government,  telecommunications,  and  oil  and  gas 
industries.  The  arrays,  which  are  priced  starting  at  $15,000,  replace  the 
CX300, 500  and  700. 

The  company  also  introduced  new  models  of  its  Clariion  Disk  Library 
a  disk-based  backup  and  recovery  product  line.  The  DL310,  DL710, 
DL720  and  DL740  have  up  to  double  the  performance  and  capacity  of 
previous  models.  They  use  ATA  drives  and  can  scale  up  to  384T  bytes 
of  capacity  EMC  has  incorporated  a  technology  it  calls  write-cache 
consolidation,  which  can  aggregate  small  blocks  of  data  into  larger 
chunks  to  increase  performance. 

The  Disk  Libraries  are  priced  starting  at  $1 10,000.  ■ 


The  Clariion  DL310  is  one  of  four 
new  virtual  tape  libraries  from  EMC. 


Moving  up 

Transitioning  to  IPv6  requires  planning,  upgrading,  configuring 
and  testing  of  an  organization's  infrastructure.  While  specific 
dollar  amounts  are  difficult  to  pin  down,  here's  a  view  of 
estimated  costs  relative  to  companies'  budgets. 


Hardware  replacement  costs 


Routers,  firewalls,  interface  cards,  etc. 

medium 

Software  upgrade  costs: 

Network  monitoring/management  software 

large 

Operating  system 

small 

Server  applications 

small 

ERP  software 

large 

Vertical  applications 

large 

Labor  costs: 


Training  IT  staff 

large 

Creating  a  transition  strategy  to  IPv6 

medium  to  large 

Installing  and  configuring  new  hardware 

large 

Establishing  transition  techniques  such  as  tunneling 

medium 

Upgrading  software 

small  to  medium 

Testing 

large 

Maintenance 

medium  to  large 

Other: 


Lost  employee  productivity  caused  by  unexpected  downtime 
during  the  transition 

medium 

Security  intrusions 

large 

Interoperability  issues 

medium  to  large 

Note:  Estimates  are  meant  to  show  not  incremental  costs,  but  the  difference  in 
costs  of  transition-related  elements. 


SOURCE:  DEPARTMENT  OF  COMMERCE'S  NATIONAL  TELECOMMUNICATIONS  AND 
INFORMATION  ADMINISTRATION 


primarily  for  government  use,  the 
2004  report  outlined  rough  cost 
estimates  for  companies  plan¬ 
ning  to  upgrade  to  IPv6  (see 
graphic),  and  the  follow-up 
report  will  offer  specific  dollar 
figures,  says  Brent  Rowe,  a 
research  economist  with  RTI 
International,  a  not-for-profit 
research  organization  that  aided 
the  Commerce  Department  in 
the  study  The  updated  report, 
under  review  at  Commerce,  is 
expected  soon,  he  says. 

One  reason  IPv6  upgrade  costs 
are  so  hard  to  quantify  is  that, out¬ 
side  of  government  projects  and 
test  implementations  at  a  hand¬ 
ful  of  companies,  few  in  this 
country  use  the  10-year-old  pro¬ 
tocol. 

“Nobody  in  this  country  has 
rolled  it  out  in  the  way  it  will  be 
rolled  out  in  a  few  years,”  says 
Tom  Patterson,  executive  director 
of  the  IPv6  Business  Council, 
chartered  with  finding  a  place  for 
the  upgraded  protocol  in  the 
commercial  world.  Council 
members  include  Boeing  and 
Bechtel. 

This  presents  a  chicken-and- 
egg  problem:  Companies  are 
hesitant  to  upgrade  to  IPv6  in 
part  because  the  costs  are 
unclear,  but  until  some  organiza¬ 
tions  make  the  switch,  costs 
won’t  be  clarified. 

IPv6  is  said  to  offer  a  number  of 
technical  benefits  compared 
with  its  predecessor,  IPv4,  includ¬ 
ing  easier  administration,  tighter 
security,  and  an  enhanced 
addressing  scheme.  Despite  those 
advantages,  IPv6  has  yet  to 
become  a  must-have  in  corporate 
America,  in  part  because  organi¬ 
zations  have  found  workarounds 
to  a  number  of  the  limitations 
found  in  IPv4. 

Yet  attitudes  toward  the  upgrad¬ 
ed  protocol  could  change  follow¬ 
ing  a  mandate  issued  by  the 
Office  of  Management  and 
Budget  last  week  dictating  all  fed¬ 
eral  government  agencies  must 
move  their  backbone  networks  to 
IPv6  by  June  2008.  Observers  say 
this  move  will  likely  spur  at  least 
some  adoption  of  IPv6  in  the 
commercial  market  (see  www. 
networkworld.com,  DocFinder: 
8347). 

There’s  also  been  movement 
among  vendors  that  sell  IPv6- 
compliant  products,  such  as 


supercomputer  maker  Cray,  to  use 
the  protocol  internally.  But  corpo¬ 
rations  have  largely  ignored  the 
updated  protocol. 

Moving  to  an  IPv6  world  will  be 
a  slow  process  because  so  many 
elements  are  involved,  Patterson 
says.  “We  see  the  cost  of  IPv6 
creeping  into  American  business¬ 
es,  rather  than  blasting  in,” he  says. 

Routers  and  operating  systems 
have  included  IPv6  for  years.  To 
migrate,  most  companies  won’t 
have  to  replace  those  compo¬ 
nents.  Yet  other  organizations,  par¬ 
ticularly  those  in  government,  are 
far  from  standardizing  the  most 
recent  releases  of  many  products 
—  word  is  the  Justice  Department 
still  runs  Windows  NT. 

“No  one’s  going  to  go  out  and 
buy  a  new  operating  system  or 
router  just  to  get  IPv6  benefits, 
which  are  up  in  the  air  anyway  “ 
RTI  International’s  Rowe  says. 

Applications  are  the  key  to  cre¬ 


ating  momentum  toward  IPv6, 
because  those  that  take  advan¬ 
tage  of  the  upgraded  protocol’s 
main  features  will  enable  compa¬ 
nies  to  do  business  in  a  new  way 
Patterson  adds. 

But  IPv6-enabled  applications 
also  represent  the  greatest  un¬ 
known  —  cost,  says  David 
Pbwner,  director  of  IT  manage¬ 
ment  issues  with  the  Government 
Accountability  Office.  “With 
application  development,  that’s 
where  you  truly  leverage  the  pro¬ 
tocol,  so  that’s  the  big  unknown 
right  now’H 


nww.com 

More  on  IPv6 

Read  Network  World  columnist  Johna  Till 
Johnson’s  take  on  IPv6. 

DocFinder:  8351 
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LinuxWorid  to  highlight  enterprise  role 

Novell,  HP  among  vendors  planning  announcements  as  show  kicks  off  in  San  Francisco. 


^[LinuxWorid]  started  out  being  specifically 
about  Linux.  But  now  Linux  and  open  source 
has  become  so  pervasive  that  even  Microsoft 
is  there.5* 


BY  JENNIFER  MEARS  AND  DENISE  DUBIE 

If  there  was  any  doubt  about  whether 
Linux  is  gaining  ground  in  enterprise  data 
centers,  this  week’s  LinuxWorid  in  San 
Francisco  should  put  that  to  rest.  Consider 
this:  Microsoft  is  leading  a  session. 

That  session,  titled,  “Managing  Linux  in  a 
Mixed  Environment ...  at  Microsoft?”  and  to 
be  led  by  Bill  Hilf,  director  of  Microsoft’s 
platform  technology  strategy  organization, 
is  just  one  of  several  sessions  and  work¬ 
shops  that  will  look  at  how  Linux  fits  into 
an  overall  data  center  architecture. 

Microsoft’s  role  at  the  show  highlights  the 
growing  maturity  of  Linux,  analysts  say 
Rather  than  helping  IT  managers  decide  if 
Linux  fits  in  their  environments,  the  show 
now  is  more  geared  to  where  the  operating 
system  fits  and  what  open  source  products 
best  fit  on  top  of  it.  Talk  also  will  center  on 
beefing  up  security  for  Linux,  running 
Linux  in  virtualized  and  grid  environments, 
and  enhancing  management  tools  for 
Linux. 


Gordon  Haff,  analyst,  Illuminata 

Show  organizer  IDG  World  Expo,  a  sister 
company  of  Network  World,  says  it  expects 
more  than  11,000  people  to  attend.  Last 
year,  1 1,400  showed  up,  while  8,300  people 
came  to  LinuxWorid  in  Boston  in  February 
The  number  of  exhibitors  at  this  week’s 
show  has  increased  from  about  180  last 
year  to  200,  organizers  say 

The  growing  interest  from  vendors  and 
customers  illustrates  the  evolution  of  Linux 
into  a  mainstream  operating  system,  ana¬ 
lysts  say  According  to  a  Forrester  Research 
study,  Linux  ranks  third,  behind  Windows 


Server  2000/2003  and  IBM  z/OS,  as  an  oper¬ 
ating  system  that  respondents  consider 
strategic.  And  26  of  the  56  respondents  in 
the  May  survey  said  they  are  using  Linux  in 
their  data  centers. 

“At  this  point,  Linux  is  a  done  deal,”  says 
Michael  Goulde,  an  analyst  at  Forrester.  IT 
managers  “are  going  to  see  what  they  can 
do  with  Linux  and  open  source  and  how  to 
expand  their  use  of  it,  rather  than  just  look¬ 
ing  at  how  they  can  initially  adopt  it.” 

IT  managers  attending  the  show  also  will 
get  a  look  at  how  the  Linux  community  is 


hoping  to  grow. Novell,  for  example, plans  to 
announce  that  it  will  open  up  a  version  of 
its  SuSE  Linux  to  users  and  developers.The 
goal  of  the  OpenSuSE  project  is  to  expand 
the  adoption  of  Linux  by  making  it  more 
easily  accessible,  says  Greg  Mancusi- 
Ungaro,  director  of  marketing  for  Linux  and 
open  source  at  Novell. 

“The  reason  we  launched  the  project  is 
that  we’re  trying  to  help  drive  Linux  adop¬ 
tion  everywhere.  We’re  trying  to  raise  the 
needle  of  Linux  usage  worldwide,”  he  says. 
“We  talked  to  Linux  users  and  Linux  devel¬ 
opers  and  we’re  hearing  that  it’s  still  very 
hard  to  get  Linux  unless  you’re  a  technical 
user.  We  want  to  change  the  dynamic  and 
make  it  much  easier  to  get  Linux.” 

Similar  to  Red  Hat’s  Fedora  project, 
See  LinuxWorid,  page  14 
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and  then  it  hits  you:// 

YOU’RE  WORKING  WITH  LINUX  24/7  IN 
EIGHT  TIME  ZONES.  AND  SO  ARE  WE. 

Novell 

find  out  more  at  novell.com 


©2005  Novell,  Inc.  All  rights  reserved.  Novell  is  a  registered  trademark  of  Novell,  Inc.  in  the  United  States  and  other  countries. 


OPERATING  SYSTEMS 

Vista  (Beta  for  next  version  of  Windows) 

Microsoft 

ini  1  i  i  i  I  1  !  i 

Results 


Pros:  Better  visual  organization;  very  good 
file/resource  searching;  some  attention 
paid  to  security. 


Getting  ITs  view  of  Vista 

Revamped  file  system,  new  security  measures  will  require  IT  planning. 


Preliminary  testing  of  the  first  public  beta  release  of  Microsoft’s  next  version 
of  Windows,  Vista,  shows  that  a  reorganized  system  for  managing  files  and 
folders  and  new  security  features  aimed  at  thwarting  malware  will  force 
enterprise  administrators  to  think  about  how  these  features  can  be  best 


BY  TOM  HENDERSON,  NETWORK  WORLD  LAB  ALLIANCE 


deployed  across  their  networks. 

We  tested  the  Build  51 12  of  the  client  version  of  the  Vista 
code  (see “How  we  did  it”, below).  Beta  code  for  the  server 
version  isn’t  publicly  available  yet.  The  client  code  is  far 
from  finished  (the  long-awaited  search  technology  and 
promised  configuration  and  management  upgrades  are 
missing),  and  it’s  not  very  stable  —  we  had  a  blue  screen 
and  reboot  within  10  minutes  of  initial  testing. 

That  said,  Microsoft  has  vastly  expanded  its  file  system 
characteristics  through  the  use  of  file  metadata  tagging,  vir¬ 
tualized  folders,  and  peer  and  server  file  services. 
Microsoft  has  taken  its  traditional  “documents  and  set¬ 
tings”  file  folder  structure  and,  while  keeping  some  ties  to 
it  for  backward  compatibility  has  adopted  the  user“home” 
directory  folder  concept  from  Unix,  Linux,  MacOS  and 
other  operating  systems. 

In  additions  public  folder  for  each  machine  is  automati¬ 
cally  made  that  is  then  available  for  cross-machine  (peer) 
searches,  making  Vista  a  thoroughly  team-enabled  operat¬ 
ing  system  that  allows  information  sharing  in  ways  not 
before  seen  in  other  Microsoft  operating  systems. 

Files  and  folders  also  can  now  be  easily  cached  and  syn¬ 


chronized  to  a  server  using  a  method  that  completes  the 
vision  of  the  Windows  95  Briefcase  system  of  server-side 
back-up  and  availability  services.This  plays  into  Microsoft’s 
recently  announced  Data  Protection  Services  initiative,  but 
we  could  not  test  those  ties,  as  the  production  version  of 
Microsoft’s  Data  Protection  Manager  wasn’t  available.  How 
synchronization  works  across  both  groups  and  individuals 
will  require  administrative  thought  to  avoid  multiple  con¬ 
current  instances  of  data  and  program  files. 

File  attributes  —  presented  as  file  metadata  in  Vista  — 
have  been  expanded.  Metadata  tagging  information 
schemas  have  standard  definitions,  but  they  beg  expan¬ 
sion,  as  the  tags  are  limited  to  applications  for  which 
Windows  has  generated  example  tags.  For  example, 
beyond  knowing  the  author,  you  might  want  to  know  if  a 
document  has  had  a  legal  review  by  a  certain  user. 

This  level  of  metadata  tag  usage  will  force  IT  execs  to  con¬ 
sider  new  policy  management  scenarios  for  the  kinds  of 
metadata  tags  that  can  be  used  by  which  users,  how  meta¬ 
data  is  organized,  and  the  means  by  which  new  data  can 
be  searched  for  across  enterprise  boundaries. 

New  user  account  protection 

Vista  uses  a  modified  (from 
Windows  XP)  security  model  for 
enabling  security  hierarchy  One 
problem  for  XP  has  been  that 
many  users  and  processes  have 
administrative-strength  privilege, 
allowing  unwitting  and  surrepti¬ 
tious  installation  of  malware. 
Patches,  fixes  and  updates  also 
must  be  installed  using  adminis¬ 
trative  access  rights,  which  makes 
it  difficult  to  keep  administrative 
account  use  to  a  minimum. 

Microsoft  strongly  recommends 
user  account  protection  (UAP), 
which  dramatically  demotes  user 
account  privilege.  User-level 
logons  can  no  longer  even  install 
basic  and  well-known  applica¬ 
tions  such  as  Office  XP  without  an 
administrative  logon,  which 
should  help  prevent  the  installa¬ 


Cons:  Many  features  missing  or  not  yet  working, 
such  as  system  security  components; 
unstable  code  at  this  point. 


tion  of  malware.  UAP  is  turned  off  by  default  in  this  release, 
as  it  can  prevent  applications  from  working.  But  even  when 
it’s  turned  on,  it  can  be  easily  fooled/thwarted  with  appli¬ 
cation  spoofing. 

Wth  UAP  (much  like  what  happens  with  MacOS  X+), 
each  installation  —  also  the  case  if  you  want  to  make  mod¬ 
ifications  to  the  Windows  registry  or  check  certain  files  — 
requires  the  installer  to  provide  an  administrative  pass¬ 
word.  Passwords  issued  by  the  new  operating  system  are 
tokens  used  only  for  specific  acts,  so  it’s  possible  to  gener¬ 
ate  numerous  token/authentication  requests  until  databas¬ 
es  can  be  built  to  protect  multiple  occurrences  of  protec¬ 
tion  requests  per  session.  Simple  execution  of  applica¬ 
tions  that  try  to  install  malware  (we  tested  infected  e-mail 
scripts  and  P1F  files)  can  sometimes  trigger  an  adminis¬ 
trative  password  use.  When  we  tested  it  with  a  common 
version  of  the  Sobig  virus,  the  downloaded  virus  that 
should  have  triggered  the  privilege  or  authentication 
request  did  not  do  so,  and  it  easily  infected  the  machine. 

Applications  used  to  living  in  an  administratively  privi¬ 
leged  environment  may  or  may  not  become  exception¬ 
handling  problems  in  the  final  edition.  Microsoft  certainly 
will  have  a  long  list  of  applications  to  accommodate  as 

See  Vista,  page  11 


How  we  did  it 


We  tested  Vista  on  two  platforms,  a  Toshiba 
Satellite  Notebook  with  704M  bytes  of 
dynamic  RAM,  Intel  1.5-GHz  Intel  Celeron 
CPU, and  a  Fblywell  2200S  server  with  two  Advanced 
Micro  Devices  Athlon  64  CPUs  and  4G  bytes  of 
dynamic  RAM.  We  used  an  ISO  DVD  to  install  both 
on  both  machines  and  found  no  incompatibilities. 
Each  machine  was  connected  to  a  D-Link  Gigabit 
Ethernet  switch  and  a  4M  bit/sec  Internet  connec¬ 
tion.  We  tested  compatibility  (simple  logon)  with 
Windows  2003  Enterprise  Server,  Samba  3.02 
(RedHat  Linux  ES  4.02  on  an  HP  DL140,  Apple 
MacOS  10.4  on  Xserve.SuSE  EL9  on  an  HP  DL140, 
NetWare  7  on  an  HP  DL140  and  others)  as  well  as 
peer  connectivity  to  Windows  2000  Professional/XP 
Service  Pack  2  and  others. 

We  tested  file  search  and  sharing  capabilities, 
installed  several  applications  to  test  user  account 
protection  and  found  that  some  applications  were 
correctly  handled  but  others  slipped  by  the  protec¬ 
tion  scheme.  Searches  using  metadata  tags  were  fast 
and  easily  organized.  We  used  Word  documents,  pic¬ 
tures  and  binary  files  with  added  tags  to  successful¬ 
ly  aggregate  content  searches.  We  also  tested  RSS 
through  subscription  to  sites  using  RSS  1.0  to  1.22. 


Microsoft's  Vista  (formerly  Longhorn,  beta  code  for  the  next  version  of  Windows)  displays 
metadata  tag  information  and  performs  as-you-type  searches  using  the  tagged  data. 
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Longhorn  Server  beta  also  out  to  testers 


BY  JOHN  FONTANA 

Lost  amid  the  recent  fanfare 
around  the  unveiling  of  Micro¬ 
soft’s  Vista  client  operating  system, 
the  company  also  shipped  the 
first  beta  of  its  next-generation 
server  software  to  a  select  group 
of  testers. 

Beta  1  of  Longhorn  Server,  which 
according  to  Microsoft  will  not  be 
called  Vista  Server,  includes  the 
core  subsystems  such  as  the  Web 
service  gateway  called  Windows 
Communication  Foundation  (for¬ 
merly  Indigo),  and  base-level  APIs 
that  will  let  developers  and  IT 
shops  get  a  feel  for  the  server. 

“What  Microsoft  is  asking  is  that 
as  you  are  taking  a  first  look  at 
these  low-level  systems,  now  is  the 
time  to  let  us  know  if  the  core  is 
correct,”  says  Michael  Cherry  an 
analyst  with  independent  re¬ 
search  firm  Directions  on  Micro¬ 
soft.  “As  more  work  moves  up  the 


stack  into  the  other  features,  it  is 
harder  to  come  back  and  fix  [the 
core]  if  it  is  not  right.” 

Cherry  says  there  should  be 
enough  functionality  in  the  betas 
to  test  basic  interoperability  bet¬ 
ween  client  and  server. 

The  two  operating  systems  are 
being  developed  in  tandem,  but 
Longhorn  is  slated  to  ship  six  to  12 
months  after  Vista’s  target  ship 
date  of  late  2006. 

Eric  Rudder,  senior  vice  presi¬ 
dent  in  Microsoft’s  servers  and 
tools  division,  said  at  the  compa¬ 
ny’s  financial  analysts  meeting  last 
month  that  Microsoft  would  ship 
Community  Technical  Previews 
and  other  betas  of  Longhorn 
Server  throughout  this  year. 

The  company  did  not  announce 
when  the  first  public  beta  would 
be  available,  but  the  first  public 
beta  for  Vista  is  slated  for  early 
next  year. 


Longhorn  Server  beta  1  was 
made  available  to  5,000  testers,  in¬ 
cluding  OEMs,  hardware  manu¬ 
facturers,  system  builders,  inde¬ 
pendent  software  vendors,  devel¬ 
opers  and  Microsoft’s  internal  IT 
organization.  Microsoft  officials 
say  some  customer  members  of 
its  technology  advancement  pro¬ 
gram  also  received  the  beta. 

While  Longhorn  Server  beta  1 
contains  just  a  subset  of  the  func¬ 
tionality  slated  for  the  server, 
Microsoft  says  the  feature  set  for 
the  final  release  has  not  changed, 
including  task-oriented  manage¬ 
ment,  centralized  and  filtered 
event  logging,  image-based  setup 
and  deployment,  transactional  file 
system  and  registry,  reduced 
reboots  and  smaller  server  foot¬ 
print.  Longhorn  Server  also  will  in¬ 
clude  Network  Access  Protection, 
a  feature  that  was  pulled  from 
Release  2  of  Windows  Server,  slat¬ 


ed  for  release  at  year-end. 

A  Microsoft  official  reiterated 
the  company  line  that  Longhorn 
Server  will  not  ship  until  it  has 


Vista 

continued  from  page  10 


“received  extensive  feedback 
from  beta  customers  and  partners 
and  after  we  have  thoroughly  test¬ 
ed  the  software.”  ■ 


root  users  or  find  fixes  for  before  the  2006  release. 

One  feature  in  the  Internet  Explorer  7  upgrade  included  in  Vista 
that  may  require  network  attention  is  the  easy  access  to  RSS  feeds. 
With  the  new  tabbed  Internet  Explorer  7  interface,  we  could  add 
and  delete  RSS  subscriptions  without  rules  or  other  impositions  as 
to  any  item  except  the  frequency  of  RSS  polling  and  updates.  Some 
organizations  have  placed  limitations  on  RSS  usage  because  of  its 
network  bandwidth  requirements  and  perceived  loss  of  worker 
productivity 

Vista  manifests  Microsoft’s  efforts  to  pay  attention  to  security,  avail¬ 
ability  and  client-side  management.  While  the  feature  set  isn’t  com¬ 
plete  in  this  beta,  it  is  obvious  that  a  wide  deployment  of  this  upgrade 
will  require  extensive  planning. 

Henderson  is  principal  researcher  for  ExtremeLabs  in  Indianapolis. 
He  can  be  reached  at  thenderson@extremelabs.com. 
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Cisco  warnings 

Major  lOS-related  Cisco  Security  Advisories  issued  this  year: 


Advisory 

Date 

Impact 

IPv6  vulnerability 

Aug.  3 

Bad  IPv6  packets  may  force  IPv6-enabled 
routers  to  reload  or  execute  arbitrary  code. 

TCP  vulnerabilities 

April  13 

Could  allow  attackers  to  reset  TCP  connections 
into  the  router. 

0SPF  packet 
vulnerability 

March  29 

Bad  Open  Shortest  Path  First  packets  sent  to 
a  router  running  OSPF  could  reload  the  device. 

BGP  packet 
vulnerability 

March  21 

Bad  Border  Gateway  Protocol  packets  sent  to 
a  router  running  BGP  could  reload  the  device. 

MPLS  packet 
vulnerability 

Jan.  26 

Bad  MPLS  packets  sent  to  a  router  could  reload 
the  device,  whether  it  supports  MPLS  or  not. 

IPv6  packet 
vulnerability 

Jan.  26 

Bad  IPv6  packets  may  cause  an  IPv6-enabled 
router  to  reload. 

Cisco 

continued  from  page  1 

Conference  on  July  27  could 
potentially  lead  to  manipulation 
of  Cisco  router  tables,  denial-of- 
service  attacks  and  access  to  con¬ 
fidential  data. 

Through  a  security  advisory, 
Cisco  has  indicated  that  the  way 
some  unpatched  IOS  routers  han¬ 
dle  IPv6,  which  has  seen  little 
adoption  in  North  America  out¬ 
side  of  research  labs,  is  a  conduit 
for  the  type  of  buffer-overflow  ex¬ 
ploit  revealed  by  Lynn.  But  last 
week,  a  Cisco  spokesman 
acknowledged  the  exploit  may  be 
possible  in  other  ways.  “There’s 
ongoing  information  gathering 
and  more  testing,”  says  Cisco 
spokesman  John  Noh. 

Cisco  last  week  also  released  a 
new  patch  for  Cisco  IOS-XR,  its 
new  carrier-focused  router  operat¬ 
ing  system,  which  was  introduced 
last  year  for  its  CRS-1  Internet  core 
router,  and  ported  to  the  12000 
series  of  carrier  routers  this  year. 

Experts  and  users  say  the  hole 
in  IOS  appears  not  to  be  an  imme¬ 
diate  concern  based  on  what  is 
public  knowledge  at  the  moment, 
since  patches  are  available.  But 
what  concerns  some  is  that  Lynn’s 
exploit  techniques  take  router 
hacking  to  a  new  level,  which 
eventually  could  have  security 


implications  for  Cisco  customers. 

“Strategically,  this  is  a  very  seri¬ 
ous  issue  for  Cisco,”  says  David 
Lawson,  vice  president  and  direc¬ 
tor  of  global  security  practice  at 
Greenwich  Technology  Partners,  a 
New  York  integration  and  consult¬ 
ing  firm  that  specializes  in  Cisco 
technology  “It  proves  something 
we’ve  been  saying  in  the  security 
field  for  a  long  time,  that  a  router 
is  breakable.” 

Many  IOS  exploits  in  the  past 
would  simply  cause  a  router  to 
crash  or  reload  itself,  he  adds. 

“The  big  key  to  what  [Lynn]  did 
was  to  demonstrate  a  way  to  fool 
[the  router]  into  thinking  it  was 
already  crashing,  so  that  it  didn’t 
initiate  the  shutdown  sequence. 
If  you  can  do  that,  that  opens  up 


the  ability  to  open  up  other 
exploits.  Now  you  can  actually 
get  code  running  that  does  god- 
only-knows  what.” 

Responsible  disclosure? 

As  for  the  question  of  responsi¬ 
ble  disclosure  and  whether  Lynn 
represented  that  ideal  or  not, opin¬ 
ions  continue  to  differ. 

“I  personally  wouldn’t  have 
done  it  the  way  he  did  it,”  says 
Justin  Bingham,  CTO  at  security 
vendor  Intrusic,  referring  to  Lynn’s 
action  in  defying  Cisco  and 
Internet  Security  Systems  (ISS)  — 
his  employer  until  he  quit  just 
hours  before  giving  his  demon¬ 
stration.  “I  like  my  career  being  a 
security  researcher  and  a  lot  of 
that  is  based  on  trust  with  your 
customers  and  other  companies.” 

Lynn,  who  has  acknowledged 
breaking  non-disclosure  agree¬ 
ments  in  speaking  out  about  the 
router  exploit,  says  he  took  the 
step  out  of  concern  that  with¬ 
holding  the  knowledge  would 
help  would-be  attackers  and 
even  posed  a  national  security 
concern. 

“The  vulnerability  which  1 
demonstrated  —  but  didn’t  give 
any  information  about  —  was 
properly  disclosed  to  Cisco 
months  in  advance,”  Lynn  says. 
“They  had  patches  publicly 
available  for  months  before  I 


went  on  stage. 

“That  said,  the  disclosure  debate 
is  one  that  needs  to  happen.  The 
idea  of  full  disclosure  is  just  about 
as  dangerous  as  no  disclosure  at 
all.As  with  most  things, we  have  to 
find  the  proper  balance.” 

While  Lynn  has  settled  one  law¬ 
suit  with  Cisco  and  ISS,  agreeing 
not  to  disclose  anything  he 
knows  about  the  exploit,  his 
problems  don’t  seem  to  be  over. 
The  FBI  is  investigating  him  and 
interviewing  friends  and  room¬ 
mates,  he  says. 

ISS,  which  declined  to  discuss 
the  Lynn  matter  last  week,  has 
sought  to  stop  the  spread  of  the 
electronic  version  of  the  presenta¬ 
tion  slides  that  Lynn  showed  at 
Black  Hat  —  many  of  which  are 


labeled  with  the  ISS  logo  —  by 
threatening  legal  action  against 
Web  sites  posting  them. 

ISS  has  benefited  from  its  re¬ 
search  by  including  preemptive 
protections  for  the  vulnerabilities 
in  its  Proventia  IPS  product  line 
and  Internet  Scanner  products. 
ISS  had  been  planning  to  make  a 
big  splash  at  Black  Hat  by  unveil¬ 
ing  the  Cisco  router  flaw,  but 
backed  down  when  Cisco  balked. 
But  Lynn,  after  quitting  his  job  at 
ISS,  spoke  out  anyway 

Customers  want  more  info. 

Cisco  customers  say  they 
would  like  to  know  about  these 
types  of  security  problems  as 
soon  as  possible. 

“I’d  like  to  be  the  first  one  to  find 
out,”  says  Bob  Lescaleet,  MIS  de¬ 
partment  manager  at  Pace  Subur¬ 
ban  Bus  Service,  a  government 
agency  in  Arlington  Heights,  Ill., 
serving  a  six-county  region.  “I’m 
not  sure  Cisco  should  have  kept 
this  quiet  as  long  as  they  have.” 

John  Monaghan,  vice  president 
of  IT  for  Marnell  Corrao  Asso¬ 
ciates,  a  Las  Vegas  construction 
and  architectural  firm  that  uses 
Cisco  routers  and  firewalls  in  its 
corporate  and  field  offices,  says 
he  was  troubled  that  Cisco  was 
working  with  ISS  on  how  to  pre¬ 
sent  the  shell-code  exploit  at  a 
hacker  conference,  but  not 
telling  customers  about  the 
potential  threat. 

“We  are  concerned  that  a  vul¬ 
nerability  has  existed,  and  that 
Cisco  didn’t  come  clean  and  let 
us  know  about  it,”  Monaghan  says. 
“As  far  as  getting  information  from 
Cisco,  it’s  more  of  a  pull  from  our 
end  than  a  push  from  their  end. 
You  had  to  dig  through  an  awful 
lot  of  rhetoric  to  find  out  that  this 


vulnerability  only  has  to  do  with 
IPv6.” 

“As  a  user,  you  worry  if  there’s 
stuff  out  there  already  in  the  wild,” 
says  Dennis  Schwind,  network 
specialist  at  Miami  University  in 
Oxford,  Ohio.  “Cisco  is  not  telling 
us  anything  about”  the  shell-code 
exploit,  he  says.“You’re  just  left  say¬ 
ing,  I  sure  as  hell  hope  this  isn’t 
big.  That’s  really  what  you’re  left 
[with],  because  there  isn’t  any 
real  detail  on  what  the  real  impact 
would  be  if  this  is  exploited  other 
than  the  ‘execution  of  arbitrary 
code,’”  he  says,  referring  to  lan¬ 
guage  used  in  Cisco’s  security 
notice  issued  last  week. 

Microsoft  weighs  in 

Microsoft  last  week  offered  its 
view  on  responsible  disclosure, 
saying  it  entails  seeking  to  ensure 
there’s  a  fix  in  place  before  pub¬ 
licly  identifying  a  flaw  —  but  that 
there  should  a  time  frame  for 
this,  says  Stephen  Toulouse,  Mic¬ 
rosoft’s  security  program  manag¬ 
er  in  the  Microsoft  security  re¬ 
sponse  center. 

In  general,  Microsoft  supports 
the  “Guidelines  for  Security  Vul¬ 
nerability  Reporting  and  Re¬ 
sponse”  published  under  the 
aegis  of  the  Organization  for 
Internet  Safety 

These  guidelines,  while  declar¬ 
ing  there’s  “no  single  universally 
appropriate  time  frame  for  investi¬ 
gating  and  remedying  security 
vulnerabilities,”  does  state  that  30 
days  is  a  “good  starting  point.” 

The  guidelines  also  suggest  a  30- 
day  “grace  period”  during  which 
the  remedy  and  information 
about  the  security  problem  is 
shared  only  with  people  and  orga¬ 
nizations  “that  play  a  critical  role 
in  advancing  the  security  of  users, 


**The  vulnerability  which  I  demon¬ 
strated  —  but  didn’t  give  any  informa¬ 
tion  about  —  was  properly  disclosed  to 
Cisco  months  in  advance.** 

Mike  Lynn,  former  researcher  at  ISS 


critical  infrastructures  and  the 
Internet.” However, Toulouse  says  if 
a  security  vulnerability  is  highly 
critical,  he  would  consider  releas¬ 
ing  information  within  a  day 

Symantec,  which  has  IPS  prod¬ 
ucts  but  doesn’t  do  the  type  of 
security  research  ISS  does,  didn’t 
have  the  advance  knowledge 
about  the  exploit  that  ISS  did,  says 
Alfred  Huger,  senior  director  of 
engineering  at  Symantec  Security 
Response.  Nonetheless,  he  noted 
that  sometimes  researchers  do 
share  information  about  exploits 
across  vendor  boundaries,  usually 
based  on  personal  relationships. 

Huger  says  Symantec  would 
probably  have  treated  the  situa¬ 
tion  differently  than  ISS  and  Cisco 
did  based  on  its  own  corporate 
guidelines  for  responsible  disclo¬ 
sure,  which  give  an  IT  vendor  30 
days  to  correct  an  identified  prob¬ 
lem  before  going  public. 

McAfee  President  Gene 
Hodges  said  his  company’s  poli¬ 
cy  is  “to  share  as  much  informa¬ 
tion  as  you  need  to  share  and 
nothing  more.”  The  Cisco  router 
flaw  is  “a  very  important  vulner¬ 
ability,  probably  one  that’s  had 
the  biggest  impact  of  anything 
we’ve  seen  all  year.” 

Among  the  questions  surround¬ 
ing  the  Cisco  router  exploit  is 
whether  a  researcher’s  attempt  to 
use  reverse  engineering  and  dis¬ 
assemble  code  to  discover  flaws 
is  illegal  —  a  charge  raised 
against  Lynn  by  Cisco  and  ISS  in 
legal  filings. 

“In  the  anti-virus  business,  that’s 
exactly  what  we  do,”  Hodges  says. 
“You  put  it  in  the  de-compiler  and 
try  to  figure  out  how  it  operates.” 

Mark  Rasch,  chief  security  coun¬ 
sel  at  security  firm  Solutionary  in 
Omaha,  Neb.,  says,  “Reverse  engi¬ 
neering  is  not  clearly  illegal.” 

Lynn  maintains  that  he  was  sim¬ 
ply  following  orders  from  his  then- 
employer. 

“It  seems  to  me  there  is  a  license 
agreement  dispute  over  that  now, 
but  the  license  was  with  ISS,  not 
me,”  Lynn  says.  ■ 
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Podcast:  Black  Hat  wrangling 

Hear  what  Network  World  Test  Alliance 
member  and  Black  Hat  attendee  Rodney 
Thayer  says  about  the  legal  wrangling  of 
researcher  Michael  Lynn. 
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FCC  nixes  DSL  sharing  rules  for  Bells 


BY  GRANT  GROSS,  IDG  NEWS 
SERVICE 

The  FCC  voted  Friday  to  end  reg¬ 
ulations  requiring  incumbent 
telecommunications  carriers  to 
share  their  DSL  broadband  con¬ 
nections  with  competitors. 

The  FCC,  in  a  4-0  vote,  removed 
regulations  that  allowed  competi¬ 
tors  such  as  EarthLink  to  offer  DSL 
over  lines  owned  by  the  four  Baby 
Bells.  While  large  ISPs  such  as 
EarthLink  have  negotiated  agree¬ 
ments  with  the  Bells,  some  con¬ 
sumer  advocates  and  telecom 
observers  predicted  the  FCC’s 
decision  could  kill  off  DSL  service 
from  small  ISPs  when  the  DSL  net¬ 
work-sharing  rules  end  in  a  year. 

The  FCC’s  decision  puts  DSL 
regulation  on  equal  footing  with 
cable  modem  service  after  the 
Supreme  Court  in  June  rejected  a 
challenge  to  an  earlier  FCC  deci¬ 
sion  allowing  cable  companies 


to  close  off  their  networks  to 
competitors. 

FCC  Chairman  Kevin  Martin 
called  the  decision  “momentous,” 
with  consumers  benefiting  from  a 
“leveling  of  the  playing  field” 
between  DSL  and  cable  modem 
service.  “Consumers  will  reap  the 
benefits  of  increased  Internet  ac¬ 
cess  competition  and  enjoy  inno¬ 
vative  high-speed  services  at 
lower  prices,”  he  says. 

The  remaining  Bells  inherited 
much  of  their  telecom  networks 
from  the  breakup  of  the  AT&T 
monopoly  in  the  1980s.  In  an  effort 
to  spur  competition,  the  FCC  and 
Congress  have  required  them  to 
share  parts  of  their  networks  with 
competitors  at  discounted  prices, 
but  in  the  last  two  years,  the 
Republican-led  FCC  has  moved 
away  from  those  regulations. 

SBC  and  Verizon  cheered  the 
FCC’s  decision,  saying  old  rules 


requiring  them  to  share  parts  of 
their  networks  with  competitors 
discouraged  them  from  investing 
in  new  products  and  offering  new 
services.  The  decision  will  help 
the  Bells  meet  President  Bush’s 
goal  of  nationwide  broadband 
availability  by  2007, Verizon  says. 

EarthLink  noted  the  current 
DSL  line-sharing  rules  will  stay  in 


place  for  a  year,  and  the  company 
already  has  contracts  with  the 
Bells  to  provide  DSL.  “We  have 
every  confidence  we’ll  be  able  to 
extend  those  with  them  to  offer 
DSL  service,”  says  Dave  Baker,  vice 
president  for  law  and  public  pol¬ 
icy  at  EarthLink.  “We  have  hun¬ 
dreds  of  thousands  of  customers, 
and  the  Bells  will  want  to  pre¬ 


serve  them.” 

Consumer  groups  suggested 
that  DSL  customers  could  still  lose 
out.  “Changing  these  rules  is  .  .  . 
anti-competitive  and  will  lead  to 
fewer  choices  in  the  marketplace, 
which  means  higher  prices  and 
worse  service,”  says  Kenneth 
DeGraff,  a  policy  advocate  at 
Consumers  Union.  ■ 


IBM  extends  portal  to  Big  Iron 


BY  STACY  COWLEY,  IDG  NEWS  SERVICE 

IBM  is  looking  to  broaden  the  reach  of  its  Web¬ 
Sphere  Portal.  A  recent  upgrade  made  the  4-year-old 
software  available  for  the  first  time  on  IBM’s  zSeries 
mainframe  and  iSeries  midmarket  servers,  a  move 
IBM  hopes  will  spur  customer  interest  in  deploying 
portal  software  on  platforms  for  which  it  has  previ¬ 
ously  not  been  widely  available. 

“Most  sales,  in  terms  of  volume,  have  been  on 
Windows,”  says  Ken  Bisconti,  an  IBM  vice  presi- 


dent.“This  [upgrade]  is  notable  in  its  expansion  of 
our  market  coverage.” 

IBM  offers  an  Express  version  aimed  at  smaller  busi¬ 
nesses,  and  that  software  was  already  available  for 
iSeries  servers.  However,  IBM’s  full-strength  Web¬ 
Sphere  Portal  strongly  outsells  Express. 

The  new  WebSphere  Portal  5. 1.0.1  also  includes 
tweaks  to  simplify  deployment  and  management  and 
to  support  the  latest  Web  services  standards.The  Web¬ 
Sphere  portal  starts  at  $89,186  per  CPU.B 
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INI  vendor  embraces  AOL,  Microsoft 


BY  JOHN  FONTANA 

Instant  messaging  server  vendor  Antepo 
plans  to  add  integration  with  AOL’s  Instant 
Messenger  service  and  the  newest  versions  of 
Microsoft’s  IM  platform  when  it  releases  the 
next  edition  of  its  software  later  this  month. 

The  integration  features  are  the  highlight  of 
Antepos  Open  Presence  Network  (OPN)  XT, 
which  lets  corporate  users  interact  with  users 
of  various  IM  platforms  and  desktop  client  soft¬ 
ware. 

OPN  XT  supports  Extensible  Messaging  and 
Presence  Protocol,  as  well  as  Session  Initiation 
Protocol  (SIP)  and  SIP  for  IM  and  Presence 
Leveraging  Extensions  (SIMPLE). 

Antepo  has  added  support  for  session-based 
messaging  through  SIMPLE,  which  is  the  same 
mechanism  used  by  Microsoft’s  Live  Com¬ 
munications  Server  (LCS)  to  interoperate  with 
AOL.  Microsoft  and  AOL  began  supporting  in¬ 


teroperability  between  their  platforms  in  May 
Now  that  Antepo  has  added  the  session- 
based  support,  OPN  XT  can  interoperate  with 
users  running  LCS  with  Service  Pack  1  and  the 
new  Office  Communicator  client. 

The  server  also  works  with  the  older  Win¬ 
dows  Messenger  client  and  with  Macintosh 
iChat  and  Linux  GAIM,  a  clone  of  the  AOL 
Instant  Messenger  client.  OPN  XT  also  supports 
BlackBerry  and  Pocket  PC  devices. 

With  OPN  XT,  translations  between  SIP/SIM¬ 
PLE  and  AOLs  proprietary  IM  protocol  happen 
on  AOL’s  network.  Antepo,  however,  has  added 
enhancements  to  its  Web-based  console  so 
users  have  local  control  over  policy  manage¬ 
ment  and  access  control  lists,  which  can  be 
built  using  a  combination  of  domains  and 
directory-based,  user  group  listings. 

OPN  XT  is  compatible  with  Microsoft’s  Active 
Directory  and  with  the  user  directory  of 


Microsoft  Exchange  5.5. 

“This  is  a  legitimate  way  to  go  [for  corporate 
users]  as  an  IM  server  or  as  a  protocol  transla¬ 
tion  server;’  says  Robert  Mahowald,  an  analyst 
with  IDC.“It  contains  some  of  the  functionality 
that  users  [otherwise  need  to  buy]  from  third- 
party  IM  integration  vendors  such  as  Face- 
Time,  Akonix  and  IMlogic.” 

Antepo  also  has  added  a  clustering  deploy¬ 
ment  wizard  to  ease  setup  of  multiple  OPN  XT 
servers  and  added  built-in  Transport  Layer 
Security  certificate  management.The  software 
includes  firewall  and  anti-spam  capabilities 
and  a  software  development  kit  to  integrate 
presence  information  into  applications. 

Antepo  also  is  working  on  a  Web-based 
client  it  intends  to  release  in  October,  and 
plans  to  add  integration  with  IP  telephony  and 
calendar  applications  in  the  next  release. 

The  OPN  XT  server  is  priced  at  $30  per  user.B 


Leading  with  Linux 


About  180  vendors  will  be  showing  their  wares  at  LinuxWorld. 
Here’s  a  sampling: 


Company 

Announcement 

ANTs 

Software 

Enhances  compatibility  of  its  open  source  SQL  database  with  databases 
from  Microsoft,  Oracle  and  Sybase;  adds  support  for  data  management 
software  from  TimesTen,  a  firm  Oracle  recently  acquired. 

Dell 

Two  dual-core  Pentium  servers;  support  for  LAMP  (Linux,  Apache, 
MySQL,  Perl/Python)  environments,  the  JBoss  application  server 
and  the  MySQL  database  on  its  PowerEdge  servers. 

Emic 

Software 

New  version  of  m/Cluster,  software  designed  to  provide  a  highly 
available  and  scalable  environment  for  open  source  applications. 

HP 

Virus  Throttle,  which  is  designed  to  protect  Linux  environments  from 
downtime  as  a  result  of  viruses;  support  for  open  source  on  NonStop 
and  Unix  systems. 

IBM 

“Grid  and  Grow,"  a  packaged  grid  bundle  that  can  run  on  Linux. 

Novell 

Opening  its  code  for  the  first  time  and  releasing  its  first  public  beta 
of  the  software,  SuSE  Linux  10.0. 

Opsware 

Global  Shell,  which  lets  systems  administrators  manage  machines 
running  different  operating  systems,  including  Linux,  from  one 
command-line  interface. 

Penguin 

Computing 

Two  Linux  blades  built  on  Intel  and  Advanced  Micro  Devices  32764- 
bit  chips. 

Platform 

Computing 

Enterprise  Grid  Orchestrator,  which  expands  the  company's  grid 
management  software  beyond  high-performance  computing  into  the 
enterprise;  an  updated  version  of  Platform  Rocks,  Linux  cluster 
management  software. 

LinuxWorld 

continued  from  page  9 

OpenSuSE  will  give  users  and 
developers  access  to  operating 
system  code  to  create  a  transpar¬ 
ent  and  open  development  envi¬ 
ronment,  Novell  says.  Novell  will 
make  a  beta  release  of  SuSE  Linux 
10.0  available  at  the  show 

The  OpenSuSE  project  will  give 
IT  managers  earlier  access  to  new 
features  in  the  operating  system 
for  building  internal  applications. 
“Then  the  jump  from  SuSE  Linux 
to  SuSE  Enterprise  Linux  is  a  small 
one,”  Mancusi-Ungaro  says. 

A1  Tobey  senior  Unix  engineer  at 
Priority  Health  in  Grand  Rapids, 
Mich.,  says  he  plans  to  attend 
LinuxWorld  to  hear  more  about 
how  vendors  such  as  HP  are  pro¬ 
viding  support  for  Linux  and 
open  source  deployments. 

“Finding  support  has  been  an 
issue  since  open  source  started 
falling  on  people’s  radars,”  he  says. 
“It  will  be  interesting  to  hear  what 
HP  is  offering.” 

HP  is  set  to  make  several 
announcements  at  the  show, 
including  expanded  support  for 
open  source  applications  such  as 
Zope  content  management  soft¬ 
ware,  which  Priority  Health  runs 
and  supports  in-house. 

“We  have  an  existing  relation¬ 
ship  with  HP  and  it  will  be  nice 
just  to  add  on  to  that  rather  than 
having  to  go  somewhere  else  for 
support, ’’Tobey  says. 

The  desire  to  centralize  support 
for  Linux  also  will  be  highlighted 
by  the  release  of  products  aimed 
at  making  it  easier  to  manage 


Linux  and  other  operating  systems. 

Opsware,  for  example,  plans  to 
unveil  a  feature  in  its  Server 
Automation  System  (SAS)  5.1  that 
the  company  says  will  help  sys¬ 
tems  administrators  manage  mul¬ 
tiple  machines  running  various 
server  operating  systems  from  one 
command-line  interface.  Called 
Global  Shell,  the  feature  provides 
secure  access  to  Linux,  Unix  and 


Windows  servers  through  one 
shell  and  provides  access  to 
Windows  registries.lt  also  uses  the 
command-line  interface  and 
scripts  that  systems  administrators 
are  more  comfortable  using  with 
servers,  Opsware  says. 

“Systems  administrators  can 
adapt  their  Unix  scripts  to  work 
within  the  Opsware  data  model 
and  securely  connect  to  multiple 


machines,”  says  Tim  Howes,  CTO  at 
Opsware.  “The  feature  shuts  the 
back  doors  that  might  be  open  to 
server  access  and  cuts  the  grunt 
work  out  of  managing  multiple 
machines  running  different  plat¬ 
forms.” 

Opsware  Global  Shell  is  avail¬ 
able  now  in  SAS  5.1,  which  costs 
about  $1,200  per  managed  server. 

Open  source  management  soft¬ 
ware  maker  Groundwork  also  will 
be  showcasing  a  new  open 
source  project  designed  to  make 
the  open  source  monitoring  soft¬ 
ware,  Nagios,  easier  to  navigate. 
Groundwork  earlier  this  year 
unveiled  its  commercial  software, 
Groundwork  Monitor,  which  is 
built  upon  Nagios’  IT  monitoring 
technology  Nagios  has  had  more 
than  660,000  downloads  since 
2001,  the  company  says. 

LinuxWorld  will  give  attendees  a 
broad  look  at  the  role  Linux  and 
open  source  can  play  in  enter¬ 
prise  data  centers.  Much  of  the 
news  will  be  similar  to  what  end 
users  would  find  at  other  main¬ 
stream  shows,  analysts  say 

“Linux  really  is  maturing,  so 
you’re  not  seeing  the  kind  of  radi¬ 
cal  month-to-month,  LinuxWorld- 
to-LinuxWorld  changes  that  you 
had  a  couple  of  years  ago,”  says 
Gordon  Haff,  an  analyst  at 
Illuminata.  “LinuxWorld  really  is 
becoming  a  broader  show!’ 

“It  started  out  being  specifically 
about  Linux.  But  now  Linux  and 
open  source  have  become  so 
pervasive  that  even  Microsoft  is 
there,”  he  says.“It  has  evolved  into 
this  much  less  exclusive  sort  of 
shov/’B 
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Short  Takes 


■  Chelsio  Communications  last 
week  announced  a  10G  Ethernet  net¬ 
work  interface  card  for  high-powered 
servers,  based  on  the  CX-4  copper 
standard  for  short-range  10G  links. 
Chelsio'sT210-CX  server  adapter  uses 
twinax,  or  InfiniBand-like,  copper 
cabling  and  can  connect  to  a 
10GBase-CX4  switch  up  to  50  feet 
away.  Approved  last  year  by  the  IEEE, 
10GBase-CX4  is  the  first  non-fiber 
standard  for  10G  Ethernet,  although 
the  standards  body  is  expected  to 
approve  a  version  of  10G  Ethernet  for 
Category  5e/6  cabling  next  year.  For 
users  that  need  standards-based  10G 
copper  now,  the  ChelsioT210-CX4  is 
available  for  $800. 

■  NFR  Security  this  week  is  expect¬ 
ed  to  announce  three  new  high-end 
versions  of  its  network- based 
Sentivist  Enterprise  Series  Smart 
Sensors  line  of  intrusion-prevention 
systems.  The  Smart  Sensor  ES500 
appliance,  which  costs  $35,000, 
reaches  500M  bit/sec;  the  ES1000, 
which  costs  $73,000,  attains  1G 
bit/sec;  the  ES2000,  which  costs 
$100,000,  runs  in  the  2G-bit/sec  range. 
Previously,  the  NFR  Security  IPS  sen¬ 
sors  were  limited  to  approximately 
200M  bit/sec.  NFR  Security  expects 
to  ship  the  new  high-end  IPS  models 
late  next  month. 

■  Soiidcore  Systems  this  week  is 
expected  to  announce  S3  Security, 
change-management  control  soft¬ 
ware  that  aims  to  prevent  unautho¬ 
rized  changes  to  an  operating  system 
or  applications  running  on  Windows, 
Linux  or  Unix  servers.  S3  Security, 
which  costs  $2,000  per  node  and  is 
scheduled  to  ship  in  late  September, 
provides  a  way  to  detect  run-time 
tampering  of  software. 
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3Com  CTO  spells  out  strategy 


3Com  acquired  intrusion  preven¬ 
tion  leader  TippingPoint 
Technologies  in  December  2004 
and  last  month  installed 
TippingPoint  CTO  Marc  Willebeek- 
LeMair  as  CTO  for  the  entire  com¬ 
pany.  Willebeek-LeMair  recently 
talked  with  Network  World  Senior 
Editor  Phil  Hochmuth  about  moving  from  the  CTO 
post  of  a  former  start-up  with  105  employees  and  $5 
million  in  sales  to  a  $700  million  company  with  a 
workforce  20  times  greater. 

How  have  3Com  product  managers  and  engineers  taken  to  your 
appointment? 

I  got  a  lot  of  phone  calls  from  heritage  TippingPoint  peo¬ 
ple  and  3Com  people,  and  it  was  an  overwhelmingly  posi¬ 
tive  response.  One  of  the  things  I  heard  from  these  people 
was  that  3Com  needs  someone  to  unify  a  lot  of  the  pieces 
in  the  company  into  a  more  coherent  strategy  and  vision. 
That’s  something  I’ve  done  quite  a  few  times  in  my  past. 
One  of  the  first  exercises  I  went  through  was  to  articulate 
a  vision  for  the  company  in  the  form  of  a  document  that 
was  produced  as  a  collaborative  effort  between  many  of 
the  leaders  in  3Com  and  just  about  anyone  who  had  an 
opinion  and  wanted  to  offer  thoughts. 


What  does  this  document  say? 

I  feel  that  we’re  at  a  significant  inflection  point  in  the  net¬ 
work  industry  We’ve  had  IP  networks  in  existence  for  quite 
some  time  now.  It’s  one  of  the  greatest  technologies  ever 
invented  from  a  network  standpoint.lt  can  connect  anything 
to  anything,  servers  to  clients,  PCs,  laptops,  PDAs,  refrigerators. 

But  it  is  a  connectivity  plane.  What  has  happened  in  the  last 
several  years  is  that  the  type  of  traffic  that  this  IP  network  has 
been  asked  to  carry  has  evolved  dramatically.  An  IP  network 
today  just  happily  looks  at  a  packet  header,  sees  where  it 
needs  to  go,  and  forwards  it  on  its  way  as  quickly  and  effi¬ 
ciently  as  it  can.That’s  not  enough  anymore.  And  so  what 
we’re  seeing  are  different  proposals  in  terms  of  what  the  next 
evolutionary  step  of  this  network  is  going  to  be.  We’ve  formu¬ 
lated  our  own,  which  we  will  start  to  share  as  soon  as  we  go 
through  the  vetting  process  of  how  we  think  the  network  is 
going  to  evolve. 

How  might  this  play  out  in  terms  of  new  products? 

What  we  imagine  is  a  network  that  is  bi-planar,  where  there  is 
a  traditional  connectivity  plane  that  exists  today  and  then 
there  is  a  layer  on  top  of  that,  a  level  of  intelligence;  some  peo¬ 
ple  call  it  a  services  plane  or  an  intelligence  plane,  that  offers 
a  much  more  policy-driven  capability  to  manage  what’s  going 
across  the  network. 

I  envision  a  network  that  can  discover  the  types  of  traffic  that 
it  is  carrying  without  modification  of  those  applications  on  the 
endpoints.  So  just  like  our  systems  today  discover  that  a  partic¬ 
ular  flow  is  malicious,  they  can  discover  that  a  particular  flow 

See  3Com,  page  16 


VPN  gateway  fills  hole  for  Krispy  Kreme 

Doughnut-maker’s  Web  portal  was  key  to  the  company  intranet,  extranet 


BY  TIM  GREENE 

Krispy  Kreme,  the  doughnut  people,  had  a 
problem:The  maker  of  their  Web  portal  was 
going  to  upgrade  its  software,  and  the  portal 
would  no  longer  be  compatible  with  Krispy 
Kreme’s  SSL  VPN  gear. 

Following  research  and  trials  of  several 
other  VPN  gateways,  the  company  found 
Whale  Communication’s  e-Gap,  which  sup¬ 
ports  the  portal  and  also  gives  remote  users 
the  same  view  of  the  portal  they  would  get 
if  they  connected  to  it  via  the  LAN.This  ben¬ 
efited  the  company  because  it  could  con¬ 
tinue  to  use  the  portal  without  having  to 
retrain  the  1,000  or  so  end  users  that  con¬ 
nect  through  it  to  reach  centrally  located 
applications, says  Sam  Gray  director  of  tech¬ 


nical  services  for  the  doughnut  franchiser. 

Krispy  Kreme  was  using  CoreSecure  SSL 
gateway  software  on  Windows  servers  to 
protect  Internet  connections  between 
remote  users  and  the  Krispy  Kreme  data 
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center  in  Winston-Salem,  N.C.  Users  con¬ 
nected  through  the  company  portal  sup¬ 
ported  by  CorePort,  later  bought  by 
OpenText. 

Gray  tried  Nortel’s  Alteon  switches,  and 
Juniper’s  and  Aventail’s  SSL  gear.“With  all  of 
them  we  were  able  to  get  to  a  certain  point 
but  were  not  really  able  to  get  all  of  the  var¬ 
ious  applications  that  sit  behind  our  portal 
to  work  properly  in  that  environment,” Gray 
says. 

The  company  was  trying  to  grant  users 
access  to  the  portal  and  to  use  the  portal  as 
they  always  had  to  reach  the  applications 
they  needed,  he  says. The  problem  was  that 
with  most  of  the  vendors,  users  had  to  first 
See  Krispy  Kreme,  page  16 
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SSL  supports  Krispy  Kreme  portal 

Krispy  Kreme's  intranet/extranet  portal  looks  the  same  whether  users  access 
it  from  within  the  corporate  network  or  via  SSL  gear  from  Whale  Communi¬ 
cations,  eliminating  the  need  to  educate  end  users  about  the  SSL  gateway. 


Remote  user  taps  into  Krispy  Kreme's  Whale  e-Gap  SSL  VPN  gateway  via  a  desktop 
browser,  and  Whale's  e-Gap  gateway  logs  the  user  on  to  the  Krispy  Kreme  portal. 


Application 

servers 


Remote  user  - - - 


Whale  e-Gap  CorePort 


I 


The  e-Gap  presents  an  end  user  with  the  same  screen 
he  would  see  logging  in  from  the  LAN,  rather  than  the 
Whale  screen  he  would  see  if  the  e-Gap  were  not 
configured  to  accommodate  the  CorePort  portal. 


The  portal  links  end  users  to  servers 
in  the  data  center  and  supports 
transactions  via  the  SSL  VPN  gateway. 


Krispy  Kreme 

continued  from  page  15 

go  through  the  SSL  vendor’s  interface  before 
reaching  the  portal.  Once  in  the  portal,  they 
may  have  to  re-access  it  via  the  SSL  vendor’s 
interface  to  reach  a  separate  application. 

The  portal  for  Krispy  Kreme  is  a  master 
Web  page  for  the  company  intranet  and 
extranet,  a  launching  place  for  other  appli¬ 
cations  such  as  e-mail  and  its  supply  chain 
system.  “Just  having  an  SSL  appliance  that 
gets  you  to  the  portal  page  and  it  looks  right 
—  that’s  one  thing.  But  once  you  drill  down 
into  all  the  various  applications  that  this  por¬ 
tal  is  a  front  end  for,  everything  behind  it  has 
to  work,  as  well,”  he  says. 

In  SSL  gear  trials,  no  vendor  gave  Krispy 
Kreme  exactly  what  it  wanted,  he  says.“No- 
body  was  ever  able  to  pull  off  a  100%  suc¬ 
cessful  pilot.They’d  maybe  get  50%  to  90%, 
but  there  were  always  some  applications  or 
some  systems  that  just  didn’t  function  prop¬ 
erly’  he  says. 

Even  Whale  wasn’t  ideal. 

“It’s  not  plug  and  play  It’s  not  like  you  pull 


it  out  of  the  box  and  assign  a  couple  of  IP 
addresses  to  it  and  it  just  magically  works. 
There  was  a  lot  of  upfront  work  from  their 
engineering  staff  to  get  all  of  our  stuff  set  up 


behind  their  box  and  get  it  working,’ ’he  says. 
Whale  says  the  work  it  did  to  give  Krispy 
Kreme  what  it  needed  is  now  part  of 
Whale’s  e-Gap  platform  so  users  with  similar 


requirements  to  Krispy  Kreme  can  config¬ 
ure  the  boxes  themselves. 

The  company  was  looking  for  an  SSL  gate¬ 
way  appliance  as  opposed  to  CoreSecure, 
which  ran  on  a  Windows  server“lt  gets  away 
from  managing  the  [operating  system]  and 
hardware  environment  from  one  side  and 
the  application  from  another.  We’d  rather 
have  it  all  in  one  pocket,”  he  says. 

Upgrades  and  management  were  also  a 
problem,  especially  after  CoreSecure  was 
bought  by  a  Swedish  company,  PbrtWise. 
“The  time  zone  differences  and  the  lan¬ 
guage  differences  made  it  difficult  to  get 
support,”  he  says.  “A  lot  of  times  your  only 
option  was  to  leave  a  message  and  wait 
for  a  return  call.” 

Krispy  Kreme  chose  SSL  because  the  por¬ 
tal  is  an  extranet  access  point,  Gray  says.The 
company  didn’t  want  to  use  technology 
that  required  a  remote  client.“We  don’t  real¬ 
ly  own  or  have  control  of  a  huge  portion  of 
the  end  user  PCs  that  have  to  connect, so  we 
want  to  make  sure  whatever  components 
have  to  be  installed  on  that  remote  PC  are 
easy  to  install  and  easy  to  support.” ■ 


McAfee,  Sygate 
add  USB  blocking 

BY  ELLEN  MESSMER 

Unauthorized  use  of  USB  hardware  to  gain  access  to  information  in 
laptops  and  servers  is  a  growing  concern.With  that  in  mind, security  ven¬ 
dors  McAfee  and  Sygate  this  week  are  expected  to  unveil  their  own 
approaches  to  blocking  USB  hard¬ 
ware  access  to  computers. 

McAfee  is  adding  a  way  to  pre¬ 
vent  USB  devices  —  which  can 
hold  1G  byte  of  information  or 
more  in  keyfob-sized  hardware  — 
from  gaining  access  to  laptops  and 
servers  through  its  host-based 
Entercept  intrusion-prevention  sys¬ 
tems  (IPS)  product.  The  new  func¬ 
tionality  is  in  a  free  upgrade  for 
current  Entercept  5.1  customers. 

Sygate  this  week  will  announce 
that  its  host-based  policy-enforcement  software,  Sygate  Enterprise  Pro¬ 
tection  (SEP)  for  desktops  and  servers,  now  will  block  USB  devices.  SEP 
also  is  gaining  IPS  functions  that  transform  the  product  into  a  closer 
competitor  to  Entercept,  says  Sygate’s  Seth  Knox. 

SEP  5.0  has  added  a  way  to  control  access  to  USB  ports  and  CD/ROM 
drives  on  computers  so  that  network  managers  can  stipulate  acceptable 
procedures  such  as  prohibiting  access  via  iFbds.The  SEP  software  has 
been  expanded  to  include  IPS  capabilities  to  prevent  buffer-overflow 
attacks  on  unpatched  systems  and  other  attempts  to  compromise  secu¬ 
rity  —  thereby  competing  more  directly  against  host-based  IPS  vendors. 

The  underlying  IPS  technology  relies  on  signature-based  identification 
of  specific  exploits  and  behavior-based  monitoring  to  identify  anom¬ 
alies,  Knox  says.  “Behavior-based  is  not  as  effective  as  signature-based, 
which  is  100%  precise,”  he  says.  “But  behavior-based  will  catch  some 
things  early  before  there’s  a  signature  to  identify  it.” 

McAfee’s  Entercept  costs  $400  per  server  and  about  $9  per  desktop, 
depending  on  volume.  Sygate’s  SEP  5.0  costs  $115  per  server  and  $65  for 
1,000  desktops.  ■ 


Taking  care 
of  business 

About  half  of  873  IT  pros  sur¬ 
veyed  by  StillSecure  called 
“too  many  other  business 
demands”  their  biggest 
obstacle  for  intrusion  preven¬ 
tion,  vulnerability  manage¬ 
ment  and  patch  management. 


3Com 

continued  from  page  15 

is  mission  critical  and  then  take  the 
appropriate  action  against  that  traffic 
based  on  the  policy  that  the  owner  of 
that  network  has  dictated. 

You  will  get  an  overlay  of  this  intelligence  plane 
onto  any  existing  connectivity  plane.  It  may  mani¬ 
fest  itself  in  the  same  switch  chassis  —  there  is  still 
a  logical  separation  of  those  planes.You  will  have 
intrusion-prevention  capabilities  inside  of  a  switch 
chassis  or  a  router  chassis,  both  at  the  edge  of  the 
network  and  on  the  inside  of  the  network.  And 
they’ll  handle  different  levels  of  policies  that  are 
instituted  across  the  network  in  different  ways. 

How  will  this  play  out  with  the  joint  venture  between 
Huawei  and  3Com? 

Generally  the  joint  venture  is  focused  primarily  on 
what  we  would  consider  the  connectivity  products, 
the  Layer  3-4  standards-based  components  of  the 
network.  We  are  working  with  them  tactically  on 
bringing  a  blade  to  market  that  takes  our  intrusion 
prevention  technology  and  puts  it  into  those  chas¬ 
sis.  I’ve  strongly  encouraged  everyone  at  3Com  to 
leverage  the  joint  venture  wherever  we  possibly  can. 

Where  is  the  future  for  3Com  in  the  network  market  with 
regards  to  just  the  transport  layer? 

It  maps  very  cleanly  to  the  vision  that  I  described 
earlier.  Where  you  have  two  planes  of  the  network, 
at  the  connectivity  plane  we’re  going  to  offer  very 
solid  products  at  a  more  attractive  price  than  our 
competitors  are  going  to  offer.  And  that’s  basically 
through  our  partnership,  the  joint  venture.  At  the 
other  plane,  our  forte  is  going  to  be  the  leadership 
of  our  [security  and  voice]  products  and  innova¬ 
tion  that  we  bring  to  bear. 

Regarding  VoIP,  where  does  3Com  need  to  improve  or 
change  in  light  of  the  fact  that  its  VCX  line  -  a  multi-thou¬ 


sand  seat  IP  PBX  product— hasn't  had  much 
traction  with  customers,  and  that  3Com's  small¬ 
er  market  NBX  product  has  also  lost  market 
share? 

I  was  surprised  to  find  that  3Com  even 
had  these  technologies.  We  need  to  make  a 
little  more  noise  about  what  we  have.That’s  not  a 
technology  statement;  that’s  an  awareness  state¬ 
ment.  Our  NBX  product  is  best  of  breed,  in  terms  of 
how  easy  it  is  to  install,  how  complete  it  is  in  its  fea¬ 
ture  set.  And  it  has  demonstrated  that  in  its  growth. 
The  VCX  is  also  unique  from  a  technology  stand¬ 
point,  that  it  is  fully  [Session  Initiation  Protocol] 
compliant,  and  its  distributed  nature  of  the  architec¬ 
ture,  which  makes  it  extremely  resilient. 

Where  does  3Com  fit  into  the  landscape  of  wireless  LAN 
switch  vendors  and  competitors  who  put  WLAN  features 
into  their  wired  gear? 

We  have  a  very  complete  wireless  offering,  but  we 
need  to  look  at  that  from  a  more  strategic  view- 
point.That’s  something  we’re  going  to  do  over  the 
next  couple  of  months.  We  have  these  neat  security 
voice  technologies;  how  does  wireless  fit  in  with 
those?  There  are  obvious  things,  such  as  let’s  many 
our  security  technology  with  our  wireless  technolo¬ 
gy  Let’s  marry  our  VoIP  technology  with  our  wireless 
technology  Let’s  take  a  wireless  access  point  blade 
and  put  that  into  one  of  our  chassis. Then  you  have 
a  security  blade  and  networking  blade,  and  you 
have  a  complete  solution  in  one.  Let’s  take  some  of 
our  security  technology  and  potentially  embed  that 
within  the  access  point  itself. Those  are  things  we 
clearly  need  to  do  and  there  are  portions  of  that 
happening  already 

Are  there  any  areas  3Com  is  in  right  now  that  maybe  it 
should  not  be? 

3Com  has  an  enormous  portfolio  of  products.  We 
need  to  assess  which  of  our  products  still  make 
sense  for  us  to  continue  to  offer,  and  which  ones 
are  just  not  strategic.  ■ 


NetScaler  makes 

any  application 

run  up  to 

15  times  faster 

for  anyone,  anywhere. 


Every  day,  leading  Global  2000  enterprises, 
including  the  five  largest  e-businesses  in  the 
world,  rely  on  NetScaler  to  dramatically  accel¬ 
erate  application  performance.  All  without 
adding  servers,  bandwidth,  or  consultants. 
Perhaps  that’s  why 
NetScaler  is  rated  #1 
in  customer  satisfac¬ 
tion  among  Layer  4-7 
networking  vendors. 

See  what  NetScaler 

‘Percent  of  customers  who  gave 
can  do  for  you  at  vendor  5-out-of-5  rating  for 

overall  customer  satisfaction. 
www.netscaler.com/15x  Frost  &  Sullivan,  May  2005. 
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Open  source  rating  system  debuts 


Short  Takes 


■  Alien  ware  has  announced  a 
series  of  rack-mounted  servers  that 
feature  one  or  two  64-bit  Intel  Xeon 
processors  and  that  can  run  32-  and 
64-bit  applications.  The  company's 
Hivemind  servers  support  up  to  2.4T 
bytes  of  Serial  Advanced  Technology 
Attachment  or  1.8T  bytes  of  SCSI 
hard  drive  storage  and  up  to  12G 
bytes  of  error  checking  and  correct¬ 
ing  double  data  rate-2  memory.  The 
systems  cost  $1,064  to  $2,134. 

■  Avocent  last  week  introduced  the 
DSR1031,  an  eight-port  digital  KVM 
switch  designed  to  enable  compa¬ 
nies  to  manage  IT  resources  remote¬ 
ly  over  IP  networks.  Diagnostic  test¬ 
ing,  patch  management  and  other 
tasks  can  be  completed  via 
Avocent's  DSView  3  management 
software.  The  switch  can  be  con¬ 
nected  to  a  control  enabling  techni¬ 
cians  to  power  devices  on  and  off 
remotely.  The  switch  starts  at  $2,000. 

■  The  Mozilla  Foundation,  which  dis¬ 
tributes  the  open  source  Firefox  Web 
browser,  last  week  announced  it  has 
created  a  corporate  subsidiary  to 
help  widen  the  use  of  its  products. 
While  the  goals  of  the  subsidiary, 
Mozilla  Gorp.,  include  generating 
revenue  and  profit,  its  primary  inter¬ 
est  is  to  sustain  the  development  of 
Firefox  and  other  products  and  help 
the  foundation  promote  open  stan¬ 
dards  on  the  Web,  the  group  says. 
Mitchell  Baker,  a  former  Netscape 
lawyer,  is  president. 

■  ActiveGiid  last  week  unveiled 
Version  1.0  of  its  Application  Builder 
and  LAMP  Application  Server  prod¬ 
ucts.  The  company  aims  to  provide 
customers  with  a  cost-effective 
approach  to  develop  and  deploy  Web 
services,  specifically  applications 
that  must  scale  to  handle  thousands 
or  even  millions  of  transactions.  The 
early  version  has  had  5,000  down¬ 
loads,  the  company  says.  The  1.0 
releases  add  features  such  as  sup¬ 
port  for  Web  services,  says  Peter 
Yared,  ActiveGrid  founder  and  CEO. 


Start-up,  Intel  join 
university  to  judge 
software  efforts. 

BY  CHINA  MARTENS,  IDG  NEWS  SERVICE 

A  university  a  start-up  and  a  chip  giant  are 
pushing  a  proposal  for  a  standard  model  to 
rate  open  source  software  to  provide  cus¬ 
tomers  with  a  better  sense  of  the  maturity 
of  the  more  than  100,000  open  source  pro¬ 
jects  available  today 

The  Business  Readiness  Ratings  (BRR) 
model  unveiled  last  week  is  the  brainchild 
of  Carnegie  Mellon  University  West’s 
Center  for  Open  Source  Investigation 
(COSI)  and  is  co-sponsored  by  Spike 
Source,  an  open  source  testing  and  certifi¬ 
cation  start-up,  and  Intel. 

“The  model  allows  users  and  developers 
to  get  a  feeling  for  the  appropriateness  of 
open  source  software  for  their  environ¬ 
ment,”  says  Joaquin  Ruiz,  vice  president  of 
product  marketing  at  SpikeSource. 


Lots  of  digital  ink  has  been  spilled  over 
the  past  week  or  so  as  pundits,  visionaries 
and  other  important  (and  self-important) 
commentators  rushed  to  explain  the  whys 
and  wherefores  of  Microsoft’s  announce 
ment  that  its  next  operating  system  would 
be  named  Vista.  Lots  of  talk  about  the  inter¬ 
nal  “debate”  to  choose  a  name.  Lots  of  bad 
jokes  quoting  one  of  Arnold  Schwarz¬ 
enegger’s  more  famous  movie  lines.  All  of 
this,  though,  merely  obscured  what  I  feel  is 
the  real  reason  the  name  was  announced 
now. 

It  distracted  many  folks  from  the  ship¬ 
ment  of  the  first  beta  version  of  the  soft¬ 
ware,  which  was  also  announced! 

Even  1  had  thought  we  were  on  beta  532 
by  now.  But,  no.  Evidently  for  all  these  years 
we’ve  been  talking  about  alpha  (or  earlier) 
software.  Back  in  2002,  in  my  Windows 
Networking  Tips  newsletter  (www.network- 
world.com,  DocFinder:  8333),  I  wrote:“most 


One  way  of  thinking  about  the  BRR 
model  is  as  a  kind  of  tailored  Netflix  ser¬ 
vice,  he  says.  Like  the  online  video-ordering 
service,  users  and  developers  will  rate  the 
different  open  source  projects. 

The  model  should  save  organizations  a 
good  deal  of  time  they  would  have  spent  in- 
house  trying  to  assess  the  wealth  of  avail¬ 
able  open  source  projects,  Ruiz  says.  For 
instance,  if  a  company  is  looking  for  an 
open  source  Wiki-type  application,  seven 
are  available,  and  he  estimates  135  open 
source  general  content-management  tools 
are  in  the  market. 

For  the  next  three  months,  COSI, 
SpikeSource  and  Intel  welcome  comment 
on  the  BRR  model  from  users  and  devel¬ 
opers,  Ruiz  says.  Based  on  those  comments, 
the  model  will  be  enhanced,  and  the  orga¬ 
nizations  hope  to  have  the  model  in  pro¬ 
duction  by  the  year-end,  he  adds.  The 
model  will  need  to  be  adaptable  to  reflect 
different  usage  assessments,  with  the 
requirements  of  a  university  for  example, 
distinct  from  those  of  a  large  corporation, 


folks  were  saying  that  the  next  version 
(code-named  Longhorn)  won’t  be  out  until 
the  second  half  of  2004.”  A  year  later,  I  had  to 
report:“the  big  news  for  those  of  us  who  fol¬ 
low  operating  systems  was  that  [Longhorn] 
won’t  ship  until  2005.” 

Now  we’re  being  told  that  Vista,  the  oper¬ 
ating  system  formerly  known  as  Longhorn, 
might  —  if  we’re  really  lucky  —  be  with  us 
for  the  2006  “holiday  season.”  But  no  one  is 
specifying  which  holiday  Even  then,  we’re 
told,  this  might  necessitate  cutting  a  few 
more  features  out  of  the  package. 

Soon,  of  course,  there  won’t  be  anything 
left  but  a  boot  loader,  GUI  and  browser. 

We’ve  been  hearing  about  Longhorn/Vista 
for  a  half  dozen  years,  since  even  before  the 
Longhorn  code  name  was  chosen. An  entire 
industry  seems  to  have  grown  up  just  to 
cover  what’s  being  added  to,  removed  from 
or  modified  in  the  next  desktop  operating 
system  from  Microsoft.That  feeds  the  feeling 
that,  because  it’s  been  so  long  since  the  last 
desktop  operating  system  shipped,  this  next 
one  needs  to  be  a  blockbuster.  Maybe  it’s 
time  we  all  paid  attention  to  something  else 
until  the  day  Vista  ships. 


Ruiz  says. 

COSI, SpikeSource  and  Intel  have  defined 
12  categories  for  assessing  open  source 
projects,  including  how  well  the  software 
meets  users’  needs,  its  usability,  scalability, 
performance  and  support. 

Each  category  has  a  number  of  metrics. 
For  instance,  under  the  rating  “quality’  met¬ 
rics  include  users’  estimations  of  the  quali¬ 
ty  of  the  software’s  design,  the  code  and  the 
testing  and  how  complete  and  error-free 
each  of  these  are. 

Users  rate  the  categories  for  a  project 
using  a  scale  of  1  for“unacceptable”up  to  5 
for  “excellent,”  and  then  the  12  categories 
are  weighted  in  terms  of  importance. 

On  the  BRR  Web  site,  the  model’s  sponsors 
provide  a  white  paper  and  discussion 
forums  together  with  samples,  standard 
templates  and  worksheets  of  the  model.  In 
the  white  paper,  the  sponsors  state  the  aim 
of  the  model  is  to  offer“a  vendor-neutral  fed¬ 
erated  clearinghouse  of  quantifiable  data 
on  open  source  software  packages  to  help 
drive  their  adoption  and  development.”  ■ 


When  I  heard  the  name  announcement,  I 
didn’t  think  of  Schwarzenegger’s  quote 
from  “Terminator  2:  Judgment  Da/  No,  I 
thought  back  to  the  old  Fibber  McGee  and 
Molly  radio  program.  Fibber  lived  at  79 
Wistful  Vista,  and  wistful  (“Full  of  wishful 
yearning,”  according  to  the  dictionary)  was 
how  I  felt,  with  a  yearning  to  finally  get  this 
operating  system  onto  retail  shelves. 

Kearns,  a  former  network  administrator,  is 
a  freelance  writer  and  consultant  in  Silicon 
Valley.  He  can  be  reached  at  wired@ 
vquill.com. 


Tip  of  the  week 


■  The  second  definition  of  "wistful"  is  “pen¬ 
sively  sad;  melancholy."  If  that’s  what's  trou¬ 
bling  you,  bunky,  check  out  what  Microsoft 
can  do  that's  still  exciting.  To  see  the  beta 
version  of  Redmond's  new  mapping  and 
location  services,  visit  www.networkworld. 
com.  DocFinder:  8334. 


Is  Vista  vision,  revision? 
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Builder  relies  on  wireless  as  key  tool 


Wireless  mix 


Commercial  builder  Rudolph  and  Sletten  routinely  deploys 
several  types  of  wireless  at  job  sites. 

Construction 
job  site 


•  Tablet  PC 

•  Palm  Treo 


laptop 


4 


te 


WAN  links  via* 

•  Satellite 

•  Internet 

•  Frame  relay/IP 


Headquarters 
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BY  JOHN  COX 

Over  the  roar  of  belching 
diesels  and  the  hiss  of  cutting 
torches,  a  worker  wearing  the  dis¬ 
tinctive  robin’s  egg  blue  hard  hat 
of  California  builder  Rudolph 
and  Sletten  taps  on  a  Tablet  PC  to 
view  a  CAD  drawing  on  a  remote 
server. 

Elsewhere  on  the  sprawling  con¬ 
struction  site,  a  manager’s  Palm 
Treo  delivers  a  schedule  change 
for  a  meeting  with  a  subcontrac¬ 
tor,  and  a  budget  overseer  from 
the  contractor’s  regional  office 
flips  open  his  wireless  laptop  for  a 
meeting  in  the  job  site’s  mobile- 
home-like  quarters. 

The  Redwood  City  Calif.,  compa¬ 
ny  one  of  the  leading  West  Coast 
builders,  specializes  in  high-tech 
buildings  for  high-tech  clients, 
including  bioscience  companies, 
and  for  high-profile  universities 
and  hospitals.  Past  efforts  includ¬ 
ed  Microsoft’s  Bay  Area  campus, 
Sun’s  R&D  campus  and  large  pro¬ 
jects  for  CalTech  and  Stanford. 

Today,  the  general  contractor 
routinely  uses  four  types  of  wire¬ 
less  nets,  all  with  a  single  purpose: 
to  allow  an  increasingly  mobile 
and  computerized  workforce  to 
gain  access  to  the  company’s  crit¬ 


BY  JENNIFER  MEARS 

When  Virtual  Iron  Software 
debuted  in  February  analysts  sin¬ 
gled  out  the  company  for  taking  a 
unique  approach  to  server  virtu¬ 
alization  by  not  only  slicing  up 
single  physical  servers,  but  also 
by  making  multiple  small 
machines  appear  to  be  one  big 
symmetric  multiprocessing  box. 
This  week,  the  start-up  is  bringing 
another  twist  to  the  fast-growing 
virtualization  market  by 
announcing  that  it  will  support 
virtualization  software  from  other 
vendors  with  its  management 
products. 

Virtual  Iron  plans  to  announce 
at  LinuxWorld  in  San  Francisco 
that  its  management  platform  will 
support  Xen.an  open  source  serv¬ 
er  virtualization  technology 

This  means  end  users  will  be 
able  to  use  Virtual  Iron’s  manage¬ 
ment  tools  to  handle  not  only 
Virtual  Iron  VMs,  but  also  those 
created  with  the  Xen  VM  monitor. 


ical  applications.  These  include 
construction  planning  and  man¬ 
agement  programs,  calendars  and 
e-mail. 

The  network  strategy  was  forged 
by  CIO  Sam  Lamonica,  who 
joined  the  company  two  years 
ago.  His  goal  was  to  exploit 
mobile  technologies  to  put  com¬ 
puter  power  into  people’s  hands, 
so  they  could  connect  to  central 
applications  at  any  time  and  tie 
into  the  stream  of  e-mail  and 
schedule  changes  that  govern  the 
daily  and  weekly  rhythm  of  the 
company 

The  first  step  was  to  make 
mobile  e-mail  and  scheduling 
available  via  Treo  and  Research- 
in-Motion  BlackBerry  devices 
over  cellular  services  from  Sprint 
and  Nextel.“We  rolled  these  out, 
and  they  caught  on  rapidly 
Lamonica  says.  “This  has  been  a 
huge  benefit  for  us.” 

The  Treo,  a  combination  cell 
phone/PDA,  is  “darn  near  a 
replacement  for  some  laptops,”  he 
says.“They  have  wireless  access  to 
e-mail,  contacts,  calendars,  voice 
and  the  Web.  It  opens  any  attach¬ 
ment,  including  PowerPoint  and 
Excel.  It  provides  someone  like 
me  pretty  much  all  the  functional- 


A  VM  is  basically  a  software  file 
that  contains  an  operating  system 
and  application. 

“What  they’re  doing  that’s  inter¬ 
esting  now  is  saying, ‘OK,  we  may 
not  be  the  only  people  providing 
the  virtual  machine  software  that 
people  want  to  use,’”  says  Dan 
Kusnetzkyan  analyst  at  IDC.They 
realize  that  management  and 
provisioning  and  security  are 
very  important  issues  to  people. . . 
.They  have  developed  this  really 
powerful  management  environ¬ 
ment,  and  they’re  extending  it  to 
encompass  more  of  the  kind  of 
work  people  are  likely  to  be 
doing.” 

The  Virtual  Iron  management 
platform  enables  end  users  to  set 
policy-based  rules  to  move  work¬ 
loads  across  servers  according  to 
application  demands. 

The  Virtual  Iron  management 
platform  provides  the  ability  to 
create  VMs,  move  them  from  one 
physical  server  to  another  with- 


Outdoor  Indoor 

WLAN  mesh  WLAN 


ity  I  need  when  I’m  on  the  road.” 

The  next  step  was  creating  con¬ 
nectivity  for  laptop  users  moving 
between  Rudolph  and  Sletten’s 
headquarters,  three  regional 
offices,  and  as  many  as  50  job 
sites.  Lamonica  chose  Airespace 


out  disrupting  applications,  start 
VMs,  pause  them,  restart  them, 
track  performance,  and  —  per¬ 
haps  most  importantly  —  enables 
users  to  distribute  workloads 
across  all  of  the  different  physical 
servers  available. 

By  extending  its  management 
tools  to  include  Xen,  Virtual  Iron 
is  giving  end  users  an  even  more 
unified  view  of  their  data  center, 
Kusnetzky  says.  “Whether  they 
will  manage  [SWsoft  orVMware] 
environments  seem  to  be  the 
next  obvious  question  to  ask,”  he 
says. 

The  Xen  VM  monitor  manage¬ 
ment  module  will  be  available  in 
the  fourth  quarter  as  a  standard 
part  of  the  Virtual  Iron  platform. 
Virtual  Iron  also  will  release  the 
module  under  an  open  source 
license. 

The  Virtual  Iron  platform  is 
priced  per  CPU  bundle,  typically 
32,  64  or  128.  The  average  price 
per  CPU  is  less  than  $1 ,000.  ■ 


Site  LAN 


(now  part  of  Cisco),  In  part 
because  of  the  depth  of  its  wire 
less  security  features. 

Airespace  wireless  LANs  were 
rolled  out  first  at  the  headquar¬ 
ters  and  regional  sites,  and  then 
to  a  growing  number  of  work 
sites.  “The  wireless  LAN  is  now 
almost  a  standard  deployment,” 
he  says.  There  are  roughly  40 
access  points  up  and  running,  all 
centrally  controlled.  Laptop 
users  simply  open  up  their  com¬ 
puters,  authenticate  and  start 
computing. 

The  WLANs  also  simplify  net¬ 
work  functions  at  job  sites  where 
railers  are  set  up  near  each  other 
over  time.  “People  can  just  start 
working  right  away  because  the 
wireless  LANs  overlap,”  Lamonica 
says.  Visiting  architects  or  subcon¬ 
tractors  can  get  guest  access 
accounts,  which  lead  only  to  the 
Internet,  for  example.  These  users 
then  fire  up  VPN  software  to  reach 
their  corporate  networks. 

Was  there  a  way  to  get  WLANs  to 
overlap  an  entire  job  site,  to  sup¬ 
port  the  growing  number  of  Tablet 
PC  users  and  more  dispersed 
office  trailers?  Lamonica’s  team 
evaluated  outdoor  WLAN  mesh 
products  from  BelAir,  Strix,  and 
Tropos,  and  they  chose  BelAir. 

In  a  wireless  mesh, similar  to  the 
Internet’s  topology,  access  points 
can  interact  without  wires  to  cre¬ 
ate  an  optimal  path  for  data  pack- 


Start-up  extends  virtual  reach 


ets.  Conventional  WLANs  require 
each  access  point  to  be  wired  to 
a  LAN  switch.  A  mesh  can  be  sim- 
pier,  faster  and  cheaper  to  deploy 
and  has  a  greater  range  com¬ 
pared  to  conventional  WLANs. 

The  initial  pilot  test  ran  into  a 
variety  of  problems,  almost  all  of 
them  related  to  the  nodes’ 
firmware,  Lamonica  recalls.  Once 
those  got  resolved,  the  mesh 
“came  right  up,”  he  says. 
“Performance  has  been  good.” 
Tablet  PC  users  now  have  “total 
access  to  the  business  applica¬ 
tions  on  our  servers.” 

Satellite  links, which  are  relative¬ 
ly  slow  and  expensive,  are 
reserved  for  special  cases. 
“Sometimes  we  can  get  voice  ser¬ 
vice  but  not  broadband  or  T-l 
data  links,”  Lamonica  says.  “Just 
recently  we  found  one  site  that 
couldn’t  even  get  voice.”The  con¬ 
tractor  sets  up  a  dish  and  router 
to  deliver  the  network  connec¬ 
tion.  Lamonica  is  starting  to  look 
at  VoIP  services,  including  Vonage. 
One  option  is  to  use  Vonage  over 
the  IP  satellite  link  to  support 
voice  at  an  isolated  job  site. 

Driving  the  wireless  deploy¬ 
ments  are  not  hard  savings  or 
other  quantifiable  metrics,  but 
rather  the  benefit  of  being  con¬ 
nected  anywhere,  anytime.  “We’re 
seeing  our  dependence  on  wire¬ 
less,”  Lamonica  says.  “When  it’s 
not  working,  the  number  of  calls  I 
get  at  the  help  desk  jumps  way 
up.” 

Two  main  mobility  challenges 
have  been  the  durability  —  or  the 
lack  of  it  —  of  mobile  devices  at 
construction  sites  and  the  gener¬ 
ational  differences  in  computer 
literacy  among  employees. 

“We  love  the  Treos,  but  they’re 
not  as  rugged  as  we’d  like,” 
Lamonica  says.  But  the  alternative 
—  handheld  PCs  designed  for 
use  at  hard  locations  —  is  cost 
prohibitive,  especially  given  the 
rate  of  change  in  handheld  com¬ 
puters,  he  says. 

Older  employees  have  been 
slower  to  adopt  the  new  tech¬ 
nologies.  Lamonica  is  addressing 
that  partly  through  training  for  all 
employees  and  partly  by  relying 
on  a  kind  of  gentle  peer  pressure 
to  motivate  workers.  “If  you  miss 
an  e-mail  from  the  boss,  and  the 
guy  next  to  you  gets  it  [through  a 
mobile  device] ,  you  notice  that,” 
he  says.  ■ 
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WIDE-AREA  FILE  SERVICES 


Bringing  LAN-like  file  delivery  to  WANs 


FromWANtoWAFS 

Some  vendors  concentrate  on  accelerating  Web  traffic;  others  focus  on  speeding 
up  wide-area  file  services  (WAFS).  But,  increasingly,  companies  are  handling  both, 


Company/Product 

Type  of 
acceleration 

Caching/disk  store 

Price 

Availl  Software/  Multi-Directional 
Replication 

CIFS 

Not  unless  available  on  server 

$1,500  per  site 

Brocade  Communications/ 
Tapestry  Wide  Area  File  Services 

CIFS,  NFS 

100G  to  700G  bytes  of  cache 

Available  from  OEMs 

Cisco/FE511  File  Engine 

CIFS,  NFS 

Cache/80G  bytes  of  storage 

$12,000  for  50  users 

DiskSites/FilePort  and 
FileController 

CIFS,  NFS 

Cache 

$14,000  FilePort, 
$9,000  FileController 

Expand  Networks/Accelerator 

WAN  data, 

CIFS,  NFS 

Cache 

Starts  at  $4,500 

HP/StorageWorks  Enterprise 

File  Services  WAN  Acceleration 

WAN  data, 

CIFS,  NFS 

Cache/80G  to  512G  bytes  of 
storage 

Starts  at  $11,170 

Novell/Nterprise  Branch  Office 

NetWare  Core 
Protocol 

Cache/Disk  space  if  it  exists 
on  server 

$2,500  per  server 

Orbital  Data/5500 

WAN  data 

CIFS,  NFS 

Cache 

Starts  at  $5,000 

Riverbed/Steelhead 

WAN  data, 

CIFS,  NFS 

Cache/80G  to  512G  bytes  of 
storage 

Starts  at  $24,000 

Swan  Labs/  WANJet  SL400  and 
SL200 

WAN  data, 

CIFS,  NFS 

Cache 

Start  at  $1,500 

Tacit  Networks/iShared  Server, 
Remote  and  Symmetric 

CIFS,  NFS 

100G  to  700G  bytes  of  cache 

Start  at  $7,500 

Gold’s  Gym  had  been  asking  its  net¬ 
work  and  end  users  to  do  some 
heavy  lifting.  End  users  trying  to 
work  together  across  40  gyms  and 
three  corporate  offices  were  using  e-mail 
to  exchange  files  and  faced  the  challenge 
of  keeping  track  of  changes  to  different 
versions, as  well, says  Kurt  Koenig, IT  man¬ 
ager  for  the  fitness  company  in  Falls 
Church, Va. 

But  that  system  wasn’t  sustainable, 
Koenig  says.  He  wanted  to  relocate  files 
previously  housed  at  each  location  to  a 
centrally  accessible  data  center  in 
Columbia,  Md.To  make  the  transition,  he 
turned  to  an  increasingly  popular  tech¬ 
nology  called  wide-area  file  services 
(WAFS),  designed  to  provide  LAN-like  file 
delivery  across  WANs. 

“We  now  have  one  G:  drive  with  nation¬ 
al  access,  so  no  matter  where  users  are, 
they  can  get  to  their  data  quickly”  he  says. 

Gold’s  is  using  a  WAFS  product  from 
Availl  Software,  one  of  a  number  of  ven¬ 
dors  in  this  market,  which  also  includes 
Brocade,  Cisco  and  Swan  Labs  (see 
graphic).  WAFS  products  come  in  the 
form  of  software,  which  runs  on  file 
servers,  and  appliances. 

WAFS  works  by  reducing  the  “chatti¬ 
ness”  of  Microsoft’s  Common  Internet  File 
System  (CIFS)  and  the  Unix/Linux 
Network  File  System  (NFS)  protocols.  It 
also  works  by  decreasing  the  latency  of 
WAN  communications  by  eliminating 
much  of  the  round-trip  traffic  caused  by 
opening  and  closing  files.  CIFS  and  NFS 
were  designed  to  work  in  LAN  environ¬ 
ments  where  latency  is  low. 

“The  CIFS  and  NFS  file  protocols  are 
extraordinarily  chatty  says  John  Henze, 
director  of  product  marketing  for  the 
Caching  Services  Business  Unit  at  Cisco. 
“These  files  consist  of  hundreds  and  hun¬ 
dreds  of  synchronous,  short  byte-length 
messages  that  go  back  and  forth  before 
any  payload  is  actually  sent,  causing  high 
latency  and  low  throughput.  This  differs 
from  on  the  LAN  where  you  have  virtual¬ 
ly  no  latency 

Seeking  a  way  to  centralize 

Brian  Laska,  technical  architect  at 
Computer  Sciences’  Consulting  Group/ 
Global  Infrastructure  Services  in  South- 
borough,  Mass.,  chose  Cisco’s  File  Engine 
after  discovering  and  evaluating  the 
problems  with  transferring  files  across 
the  WAN. 


“When  we  went  to  upgrade  our  server 
hardware  to  support  Windows  2000,  we 
saw  that  about  20  smaller  branch  offices 
were  primarily  doing  file  services,”  he 
says.  “We  wanted  a  way  to  centralize 
them,  to  support  them,  back  them  up  and 
save  on  data-vaulting  expenses.  But  we 
saw  that  centralizing  file  services  would 
be  a  heavy  load  on  the  WAN.The  file  pro¬ 
tocols  that  are  in  use  are  not  very  toler¬ 
ant  to  high-latency,  low-bandwidth  wide- 
area  networks,  which  is  what  most  com¬ 
panies  have.” 

With  the  number  of  remote  offices 
increasing,  more  and  more  data  is  trans¬ 
ported  across  the  WAN.  Randy  Kerns,  an 
independent  storage  analyst  in  Boulder, 
Colo.,  estimates  that  Fortune  500  compa¬ 
nies  have  as  many  as  4  million  employ¬ 
ees  working  from  remote  locations. 

Further,  many  of  these  workers  use  file 
and  print  sharing  extensively.  Often,  no 
skilled  IT  staff  is  available  to  handle 
operations  such  as  network  management 
and  data  backup.  All  of  which  adds  up  to 


a  need  for  products  along  the  lines  of 
what  the  WAFS  vendors  are  offering. 

How  it  works 

The  software  from  Availl  being  used  by 
Gold’s  Gym  differs  from  appliance-based 
packages.  In  an  Availl  implementation, 
the  software  is  installed  on  each 
Windows  file  server  in  the  remote  office 
and  at  the  data  center.  As  users  make 
changes  to  files,  they  are  replicated  to  the 
data  center.  As  it  is  with  most  WAFS  soft¬ 
ware,  updated  files  are  transferred  to  the 
remote  offices  only  when  requested. 

In  a  typical  WAFS  configuration,  an 
appliance  is  installed  in  the  data  center, 
where  it  connects  to  primary  storage. 
This  appliance  connects  over  the  IP  net¬ 
work  with  an  appliance  situated  in  the 
branch  office.  Users’  requests  for  files  are 
transmitted  to  the  appliance  in  the  data 
center,  and  the  file  is  opened  and  sent  to 
the  branch  office.  Changes  that  the  users 
make  to  the  file  are  similarly  encrypted, 
compressed  and  sent  to  centralized  stor¬ 


age  whenever  they  are  made. 

In  this  fashion,  IT  can  reduce  much  of 
the  bandwidth  required  by  file  opera¬ 
tions.  Users  also  can  benefit  from  the 
centralized  management  of  file  data  on 
the  WAN.  And  because  data  from  remote 
offices  converges  at  the  data  center,  it’s 
no  longer  necessary  to  back  up  the 
remote. 

Some  WAFS  appliances,  such  as  Tacit 
Network’s  iShared  Remote  or  Expand 
Networks’  Accelerator,  have  local  cache 
memory,  which  holds  frequently 
accessed  files  so  they  can  be  instantly 
available  to  remote  office  users.  File  serv¬ 
er-based  software,  such  as  Availl’s,  syn¬ 
chronizes  all  file  changes  with  the  data 
center  and  other  remote  offices. 

Other  advantages  of  WAFS 

Much  WAFS  software  has  coherency,  file 
locking  and  consistency  checks  to  pre¬ 
vent  files  from  overwriting  those  that 
users  are  working  on  and  ensure  the 
most  current  version  is  the  one  users 
access. 

In  some  ways,  WAFS  offerings  sound 
like  WAN  acceleration  products,  and  in 
fact,  vendors  are  increasingly  offering 
dual-purpose  products.  Last  week,  Ex¬ 
pand,  a  Web-optimization  vendor, 
announced  a  product  called  Accelerator 
that  handles  WAFS;  Swan  Labs  last  month 
unveiled  an  appliance  called  WANJet, 
which  it  says  cuts  WAFS  traffic  by  as 
much  as  500%;  and  Riverbed  Technology, 
which  makes  the  Steelhead  line  of  accel¬ 
erators,  last  month  announced  software 
that  supports  WAFS. 

WAFS  deals  with  file  data  —  Word  doc¬ 
uments,  spreadsheets,  Microsoft  Ex¬ 
change  data  —  while  WAN  acceleration 
or  optimization  appliances  work  with 
other  forms  of  data  —  HTML,  HTTP  DNS 
and  VoIP 

“File  services  are  absolutely  a  huge 
piece  of  it  and  a  pretty  big  pain  point,” 
Henze  says.  “But  there’s  a  whole  lot  of 
other  traffic  going  on  —  HTTPS,  HTTPFTP 
messaging  [MAPI]  or  voice  over  IP  —  all 
that  stuff  is  going  on  across  a  distributed 
environment.” 

Cisco’s  FE  511  File  Engine  handles 
WAFS,  but  don’t  be  surprised  to  see  Cisco 
offer  an  integrated  WAFS  and  WAN  accel¬ 
eration  product.  After  all,  the  company 
recently  bought  FineGround,  which  spe¬ 
cializes  in  application  acceleration,  man¬ 
agement  and  security.  ■ 
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APPLICATION  SERVICES 
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No  slowdown  in  software  investing 

Quarterly  venture  capital  survey  also  shows  signs  of  life  in  network  equipment  makers. 


Software  rules 


For  the  past  seven  quarters,  software  companies  have  attracted  the  most 
investments  among  all  the  sectors  tracked  by  the  MoneyTree  survey. 

(Dollar  figures  shown  in  billions). 
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While  network  and  telecom  start-ups  this 
year  are  beginning  to  see  some  renewed 
interest  from  investors,  the  software  sector 
continues  to  attract  the  most  funding,  par¬ 
ticularly  those  companies  with  products 
having  anything  to  do  with  security 

Software  companies  saw  $1.3  billion  in 
investments  in  231  deals  during  the  second 
quarter,  up  from  $1.2  billion  for  the  first 
quarter,  according  to  the  latest  MoneyTree 
Survey,  published  quarterly  by  Pricewater- 
houseCoopers,  Thomson  Venture  Econom¬ 
ics  and  the  National  Venture  Capital  Asso¬ 
ciation  (NVCA).  Companies  that  fall  into 
the  software  category  —  which  the  survey 
defines  as  software  programs  for  business 
or  consumer  use  and  includes  both  gener¬ 
al-purpose  and  vertical  applications  — 
have  gained  the  most  investments  for  the 
past  seven  quarters,  clearing  the  $1  billion 
mark  every  time  (see  graphic, right). 

Five  of  the  top  20  investments  went  to 
companies  with  security-related  products 
last  quarter,  as  they  together  secured  more 
than  $72  million  (see  graphic, below). 

Investors  have  been  pouring  money  into 
software  companies  for  the  past  few  years 
because  these  investments  have  seemed 
safe  compared  with  sectors  such  as  net- 


Short  Takes 


■  IBM  last  week  announced  it  had 
entered  into  an  agreement  to  acquire 
DWL,  a  maker  of  customer  data  inte¬ 
gration  middleware,  for  an  undis¬ 
closed  amount.  The  deal  will  equip 
IBM  with  the  Altanta-  and  Toronto- 
based  company’s  transactional  data 
integration  technology,  which  for 
example  lets  users  gain  a  single  view 
of  customer  information 
across  front-office  and  back-end  sys¬ 
tems.  The  DWL  Customer  software 
works  as  a  hub  connecting  multiple 
systems  containing  customer  data 
and  ensures  compliance  with  regula¬ 
tory  standards.  Big  Blue  will  inte¬ 
grate  the  Java-based  software  into 
its  information  integration  portfolio. 


work  and  telecom  that  skyrocketed  during 
the  Internet  bubble  only  to  crash  and  burn 
when  it  burst.  In  addition,  the  trend  toward 
doing  business  over  the  Web  and  the 
recent  focus  corporations  are  placing  on 
security  have  given  rise  to  new  software 
categories  that  are  deemed  essential,  and 
therefore  viewed  as  good  investment  bets. 

Although  he  generally  describes  the 
security  market  as  over-funded,  one  ven¬ 
ture  capitalist  says  there’s  still  plenty  of 
room  for  investing  in  these  companies. 
“We’re  really  looking  for  either  new 
approaches  to  existing  problems  in  large 
markets,  or  white  spaces  —  markets  that 
are  small  today  but  we  expect  to  grow  in 
the  future,”  says  Asheem  Chandna,  venture 
partner  with  Greylock  Partners.  Examples 
of  companies  targeting  white  spaces  are 
makers  of  regulatory  and  industry  compli¬ 
ance  software  and  products  designed  to 
protect  corporations  from  information 
leakage. 

Despite  software’s  dominance,  network¬ 
ing  and  telecom  companies  are  starting  to 
pique  investors’  interests  again,  as  evi¬ 
denced  by  this  year’s  first-  and  second- 
quarter  investing  trends.  VoIP  service 
provider  Vonage,  which  attracted  $200  mil¬ 
lion  in  its  sixth  financing  round,  sealed  the 
second-largest  deal  of  the  quarter.  Also 
ranking  among  the  top  10  deals  were 
switch  maker  Caspian  Networks,  which 
received  $55  million,  and  access  equip¬ 
ment  vendor  Entrisphere  with  $50  million. 

This  renewed  interest  is  “in  part  pent-up 
demand.  People  literally  spent  nothing  on 
new  [network]  equipment  for  quite  a  few 
years,”  says  Shanda  Bahles,  managing  part¬ 


ner  with  El  Dorado  Ventures,  which  invest¬ 
ed  in  Entrisphere  during  the  second  quar¬ 
ter.  “Driving  this  is  the  desire  to  put  video, 
voice  and  data  on  the  same  network.” 

Recent  acquisitions  by  large  network 
vendors  also  are  helping  to  bolster  start¬ 
ups  in  this  area.  “Cisco  and  a  few  others 
have  started  nibbling  again  at  acquisi¬ 
tions, "says  Tracy  Lefteroff,  global  managing 
partner  at  Venture  Capital  &  Private  Equity 
Practice  at  PricewaterhouseCoopers, 
adding  that  merger  and  acquisition  activi¬ 


ty  usually  is  the  first  sign  of  interest  in  a 
sector. 

What’s  missing,  he  adds,  are  a  few  suc¬ 
cessful  public  offerings  from  network  or 
telecom  companies  that  would  put  the 
sector  in  good  graces  with  investors  on  a 
more  permanent  level. 

Investors  put  $5.8  billion  in  750  compa¬ 
nies  during  the  second  quarter,  up  from 
$4.9  billion  in  the  first.This  isn’t  surprising, 
says  John  Taylor,  vice  president  of  research 
with  NVCA,  because  the  second  quarter 
traditionally  sees  more  investment  activity 

The  majority  of  the  funding  went  into 
early-stage  or  late-stage  deals,  although 
NVCA  expects  to  see  more  investments  in 
early-stage  companies  going  forward  as 
investors  look  for  fresh  businesses  to 
invest  recently  raised  funds  in.  ■ 
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Money  magnets 

During  the  second  quarter,  security-related  companies  dominated  the  top-20 
investments  list: 


Company 

Product 

Amount  invested 

Stage 

Ingrian  Networks 

Encryption  software 

815.4  million 

Expansion 

Voltage  Security 

Encryption  and  policy  enforcement 
platform 

815  million 

Late 

Cenzic 

Security  and  policy  enforcement  testing 

815  million 

Late 

PortAuthority  Technologies 

Information  leak  prevention  software 

813.4  million 

Expansion 

BlueLane  Technologies 

Patch  emulation  software 

813.3  million 

Expansion 

SOURCE:  MONEYTREE  SURVEY 
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Making  Verizon  giddy 


NET  INSIDER 

Scott  Bradner 


The  first  public  step  on  a  poten¬ 
tially  long  road  to  a  replacement 
for  the  Telecommunications  Act  of 
1996  has  now  been  taken.  Sen. 
John  Ensign  (R-Nev.)  just  intro¬ 
duced  the  Broadband  Investment 
and  Consumer  Choice  Act  of  2005, 
which  would  replace  large  parts  of 
the  older  act.  1  don’t  think  anyone 
could  claim  with  a  straight  face 
that  this  is  a  balanced  proposal. 

If  anyone  somehow  thought 
that,  they  would  have  been  quick¬ 
ly  corrected  by  the  almost  giddy 
reaction  from  traditional  carriers, 
such  as  Verizon,  and  their  trade 
associations.  The  72-page  bill 


(take  a  closer  look  at  the  pro¬ 
posed  bill  at  www.network 
world.com,  DocFinder:  8328)  in¬ 
troduced  by  Ensign,  chair  of  the 
Senate  Commerce  Committee’s 
Technology,  Innovation  and  Com¬ 
petitiveness  Subcommittee,  is  far 
from  all  bad  —  but  also  far  from 
all  good. 

The  bill  removes  most  facilities- 
based  telecom  and  satellite  TV 
providers  from  any  state,  federal 
or  local  regulation  such  as  regard¬ 
ing  prices  or  quality  The  most 
mentioned  effect  of  this  is  that 
local  governments  would  not  be 
able  to  stop  video  service  deploy¬ 
ment  by  telephone  companies. 

The  only  exception  is  that  in¬ 
cumbent  local  exchange  carriers 
(ILEC)  would  have  to  continue  to 
make  available  their  copper 
access  loops  and  sell  telecom  ser¬ 
vices  at  wholesale  rates  to  com¬ 


petitors  for  a  while.  Providers  of 
broadband  (defined  as  anything 
more  than  64K  bit/sec)  would  not 
be  able  to  block  customer  access 
to  legal  content  or  services,  in¬ 
cluding  VoIPBut  they  could  offer  a 
special  reduced-access  service 
for  those  that  want  blocking. 
Under  the  bill,  the  ILECs  would 
have  to  offer  a  basic  telephone 
service  at  current  rates  through¬ 
out  their  territories,  with  the  quali¬ 
ty  characteristics  defined  by  the 
FCC,at  least  until  2010. 

The  bill  does  not  actually  ban 
municipally  owned  networks  but 
it  does  put  restrictions  on  them 
that  will  be  hard  to  overcome,  so 
the  effect  is  about  the  same.  What 
the  bill  does  not  do  is  back  away 
from  the  old  and  restrictive  ser¬ 
vice-based  thinking.  The  bill  still 
refers  to  broadband,  telephone, 
satellite  TV  and  video  services 


and  treats  them  differently 

Other  than  requiring  that  ILECs 
offer  basic  telephone  service, 
because  of  the  historical  impor¬ 
tance  of  such  a  service,  and  sell 
access  to  their  copper  access 
loops,  because  of  the  regulated 
monopoly  under  which  this  was 
installed,  there  should  be  almost 
no  regulations. 

Half  of  this  bill  could  go  away  if 
it  just  said  the  above  and  that  gov¬ 
ernments  could  not  control  what 
services  different  connectivity 
providers  wanted  to  offer. 

The  bill  also  should  state  that 
connectivity  providers  could  not 
restrict  or  affect  the  performance 
of  customer  access  to  legal  ser¬ 
vices  offered  by  third  parties,  ex¬ 
cept  in  a  provider-neutral  way  to 
protect  their  network.  The  same 
logic  should  apply  to  controlling 
local  rights  of  way,  which  the  bill 


addresses  only  for  video  services 
providers. 

The  proposal  does  not  address 
the  Universal  Service  Fund,  state 
or  local  taxes  on  broadband  ser¬ 
vices  or  services  provided  over 
broadband.  Neither  does  it  ad¬ 
dress  wiretapping  legal  intercepts 
(or  other  law  enforcement  needs) 
and  any  final  bill  will  need  to  do 
so.  This  is  an  interesting  first  step, 
but  I  will  say  that  the  image  of  a 
giddy  Verizon  does  something  un¬ 
pleasant  to  my  stomach. 

Disclaimer:  Even  though  being 
giddy  at  Harvard  is  not  all  that  un¬ 
common,  I  know  of  no  university 
view  on  the  giddiness  level  of 
phone  companies. 

Bradner  is  a  consultant  with 
Haruard  University’s  University 
Information  Systems.  He  can  be 
reached  at  sob@sobco.com. 


Mercury  polishes  applications  testing  tool 


BY  STACY  COWLEY,  IDG  NEWS  SERVICE 

Mercury  Interactive  has  released  an  u- 
pdated  version  of  its  application  quality 
assurance  tool,  adding  user-acceptance  fea¬ 
tures  to  the  software  and  expanding  its  inte¬ 
gration  with  other  Mercury  testing  tools. 

Mercury’s  initial  Business  Process  Testing 
product,  first  released  about  a  year  ago,  is 
part  of  the  company’s  Quality  Center  suite 
of  software  for  automating  and  tracking 
application-testing  functions.  The  new  ver¬ 
sion  adds  a  user-acceptance  certification 
step  to  the  testing  process,  which  now  fea¬ 
tures  a  Web  interface  that  business  execu¬ 
tives  can  use  to  try  out  a  new  application 
and  provide  structured  feedback  on  it. 

The  addition  is  intended  to  automate  a 
step  that  is  often  left  to  ad  hoc  manual  doc¬ 
umentation,  says  Matt  Morgan,  Quality 
Center  director  of  products.  “This  was  dri¬ 
ven  by  [customers’]  need  to  have  a  closed- 
loop  system  that  documents  all  of  this  on  a 
nice  audit  trail,”  he  says. 

In  the  new  version,  Mercury  has  also 
enabled  integration  with  its  WinRunner 
regression  testing  software,  allowing  cus¬ 
tomers  to  plug  current  WinRunner  test 
scripts  into  Business  Process  Testing.  Mer¬ 
cury  says  it  hopes  the  move  will  expand  the 
product’s  customer  base  by  making  the 
tool  more  attractive  to  WinRunner’s  esti¬ 
mated  75,000  users. 

In  the  10  months  it  has  been  on  the  mar¬ 
ket,  Business  Process  Testing  software  has 
been  used  by  150  organizations,  Mercury 
says.  Raymond  James  Financial  has  signifi¬ 


cantly  sped  up  its  testing  process  since  pur¬ 
chasing  Quality  Center  two  years  ago, 
according  to  Quality  Assurance  manager 
Leanne  Stumph.  The  St.  Petersburg,  Fla., 
financial  services  company  initially  de¬ 
ployed  Mercury’s  QuickTest  Professional 
testing  tool,  another  Quality  Center  compo¬ 
nent,  but  found  the  software  too  developer¬ 
centric  for  its  business-analyst  users.  “We 
talked  to  Mercury  about  our  options,  and 


BY  STACY  COWLEY,  IDG  NEWS  SERVICE 

WebEx  Communications  last  week  an¬ 
nounced  it  agreed  to  buy  collaboration 
software  developer  Intranets.com  for  $45 
million  The  deal  allows  WebEx  to  take  out  a 
rival  that  had  aggressively  chased  the  small¬ 
er  end  of  WebEx’s  core  market, Web  confer¬ 
encing  services.  WebEx  President  Bill  Heil 
says  the  company  plans  to  preserve 
Intranets.com’s  products  and  pricing. 

“Our  strategy  is  to  aggressively  go  after  the 
small  business  market,”  he  says.  “We  think 
that  takes  lower  price  points  as  a  funda¬ 
mental  thing,  and  a  software-as-a-service 
strategy’ 

Intranets.com  cycled  through  a  variety  of 
business  models  as  it  rode  the  dot-com 
boom  and  bust.The  company  offers  corpo¬ 
rate  collaboration  applications  such  as 
document  management,  database,  group 


they  led  us  to”  Business  Process  Testing, 
Stumph  says.  “It  was  much  easier  for  [the 
business  analysts] .  It  led  them  step-by-step, 
and  they  can  understand  it  from  their 
standpoint,  the  business  side.” 

Using  Business  Process  Testing  and 
QuickTest  Professional  in  combination, 
Raymond  James  has  run  several  applica¬ 
tions  through  testing  with  Mercury’s  prod¬ 
ucts,  including  a  mutual  fund  order-entry 


calendar  and  scheduling  tools  priced  on 
monthly  subscription.  Its  target  market  is 
small  businesses  with  as  many  as  100 
employees  —  organizations  that  have  out¬ 
grown  ad  hoc  products  but  don’t  want  the 
complexity  and  expense  of  enterprise  col¬ 
laboration  software. 

In  early  2004,  Intranets.com  began  offer¬ 
ing  Web  and  audioconferencing.The  move 
was  aimed  directly  at  undercutting  Micro¬ 
soft’s  Live  Meeting  software  and  WebEx’s 
service.  “Intranets.com  now  provides  all  of 
the  functionality  of  similar  Web  conferenc¬ 
ing  offerings  from  WebEx  and  Microsoft 
Live  Meeting,  but  at  a  fraction  of  the  price,” 
the  company  proclaimed  in  a  September 
press  release.  The  company’s  Web  confer¬ 
encing  pricing  has  fluctuated  since  its 
introduction;  a  monthly  subscription  cover¬ 
ing  five  presenter  licenses  costs  $199. 


system  and  an  application  to  transfer  infor¬ 
mation  from  the  company’s  BeopleSoft  ERP 
system  to  a  custom  application. 

Mercury  estimates  that  a  15-user  deploy¬ 
ment  of  Quality  Center,  including  Business 
Process  Testing,  costs  around  $50,000.  ■ 
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Effective  last  week,  WebEx  took  over  the 
back  end  of  Intranets.com’s  conferencing 
service,  replacing  NetSpoke’s  technology 
Heil  says  WebEx  plans  “substantial 
improvements”  to  Intranets.com’s  products 
before  year-end,  but  he  declines  to  offer 
more  details.  Intranets.com  says  it  has  a 
customer  base  of  300,000  paying  sub¬ 
scribers  from  10,000  companies.  ■ 
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Carrier  boundaries  challenge  MPLS  VPNs 

Need  for  an  MPLS  interconnect  arises  to  ensure  service  reach,  consistency. 


BY  JIM  DUFFY 

Enterprise  customers  looking  to  utilize 
multiple  carriers  to  provide  global  reach  for 
their  MPLS  VPNs  might  find  themselves 
thrown  for  a  loop. 

Differences  in  the  way  carriers  assign  QoS 
attributes  to  separate  MPLS  paths  can  result 
in  service  inconsistency  And  because  no 
single  carrier  has  a  footprint  in  every  possi¬ 
ble  locale  an  organization  might  have  to 
reach,  each  has  to  establish  MPLS  intercon- 


Short  Takes 


■  BellSouth  last  week  launched  a 
commercial  wireless  broadband  ser¬ 
vice  designed  to  travel  with  sub¬ 
scribers  as  they  move  from  place  to 
place.  The  service  debuted  in  the  uni¬ 
versity  community  of  Athens,  Ga.  The 
carrier  is  pushing  the  service  as  an 
alternative  to  its  DSL  offering.  The 
network  covers  an  area  around  the 
University  of  Georgia  campus  and 
has  a  range  of  3  to  5  miles.  The  small 
wireless  broadband  deployment  is 
among  the  first  by  a  major  U.S.  carri¬ 
er,  though  other  fixed-line  and  cellular 
providers,  including  Nextel,  Sprint  and 
Qwest,  have  explored  the  technology. 
BellSouth  also  plans  to  use  it  to 
reach  rural  customers  who  can't 
access  DSL,  the  company  says.  It 
plans  to  start  commercial  services  in 
some  rural  Florida  communities  later 
this  year. 

■  Juniper  has  added  Nominum,  a 

provider  of  IP  address  management 
products,  to  its  J-Partner  OSS  & 
Network  Management  Alliance.  The 
companies  will  cross-market  each 
other's  network  infrastructures  and 
IP  address  management  products  as 
scalable  DHCP  services  for  broad¬ 
band  Internet  applications  and  mobile 
connectivity.  They  will  combine 
Juniper's  E-series  edge  routers  with 
Nominum’s  Foundation  Dynamic 
Configuration  Server.  Nominum  cus¬ 
tomers  include  British  Telecom,  Verio, 
Colt  Telecoms,  Telewest  and  KPN. 


nect  agreements  with  other  carriers  that 
might  have  configured  VPN  QoS  profiles 
much  differently 

“Not  every  carrier  can  have  a  point  of 
presence  in  every  single  possible  location,” 
says  Andy  Malis,  chairman  of  the  MFA 
Forum,  which  is  defining  specifications  to 
resolve  the  MPLS  interconnect  issue 
between  carriers.  “And  at  this  point,  the 
interconnections  that  are  happening  are 
basically  for  best  effort  [service]  .only’ 

The  MFA  Forum  began  work  late  last  year 
on  an  MPLS  cross-boundary  interconnect 
to  enable  QoS,  privacy  and  security,  Malis 
says.  The  forum  expects  its  initial  specifica¬ 
tion  to  be  published  in  the  first  half  of  2006. 

“We  recognize  in  the  standards  commu¬ 
nity  that  there  are  deficiencies  in  the  stan¬ 
dard  to  be  able  to  have  a  full-service  MPLS 
interconnect  in  between  carriers,”  Malis 
says. 

Vendors  are  also  attempting  to  tackle  the 
problem  in  associations  such  as  the  new 
IPSphere  Forum,  which  spawned  from 
Juniper’s  Infranet  Initiative  Council,  and 
with  single-vendor  products  such  as  Cisco’s 
MPLS  inter-provider  features  for  its  routers 
(www.networkworld.com,  DocFinder: 
8335). 

The  forum  is  looking  to  extend  work 
done  by  the  IETF  to  define  up  to  eight  ser- 


BY  DENISE  PAPPALARDO 

Sprint  says  it  has  greatly  increased  the 
capacity  on  its  international  IP  MPLS  net¬ 
work  by  adding  wavelengths  along  routes 
throughout  Europe. 

The  carrier  has  been  beefing  up  its 
MPLS  network  outside  the  U.S.  since  late 
2004,  says  Dan  Dooley,  vice  president  of 
international  markets  for  Sprint.  But  in 
the  next  month  it  plans  to  double  band¬ 
width  on  nearly  all  routes  in  Europe,  he 
says. 

Sprint  has  also  increased  capacity  on 
its  transatlantic  connections  by  adding 
wavelengths  along  several  undersea 
cables  it  has  from  the  U.S.  to  Denmark, 
France  and  the  U.K. 

The  service  provider’s  MPLS  network 
spans  1 10  countries,  including  Argentina, 


vice  classes  in  an  MPLS  header,  using 
Differentiated  Service  (Diff-Serv)  code 
point  markings,  in  a  single  carrier’s  net¬ 
work.  The  MFA  is  looking  to  broaden  this 
specification  so  it  works  on  an  inter¬ 
provider  basis,  as  well,  Malis  says. 

“The  hard  part  is  going  to  be  on  the  carri¬ 
er’s  part  to  have  some  amount  of  alignment 
on  what  the  meanings  are  of  the  Diff-Serv 
markings  in  the  headers,”  he  says. 

There’s  a  possibility  Malis  says,  that  two 
carriers  don’t  use  the  Diff-Serv  markings  to 
mean  the  same  thing.  In  that  case,  the  carri¬ 
ers  will  have  to  figure  out  how  to  resolve 
this  by  re-marking  packets  at  a  router  at  the 
boundary  of  the  network. 

Malis  says  there  is  text  in  the  IETF’s  RFC 
2547bis  specification  for  MPLS-based  Layer 
3  VPNs  that  states  how  to  establish  such 
interconnections.  But  that  is  for  best-effort 
Layer  3  VPNs  only 

So  the  forum  is  working  on  a  template  to 
function  as  a  guide  for  mapping  a  subset  of 
services  between  different  service  pro¬ 
viders  not  only  for  Layer  3  MPLS  VPNs,  but 
for  all  MPLS  services:  Layer  2  virtual  private 
LAN  Services  (VPLS),  point-to-point  pseu¬ 
do-wires,  traffic-engineered  label  switched 
path  intercarrier  trunks  and  VoIP  among 
them. 

The  need  for  a  VPLS  network-to-network 


Bangladesh,  Hong  Kong,  Japan,  New 
Zealand  and  South  Africa.  Sprint  owns 
about  30%  of  its  MPLS  network  nodes  out¬ 
side  the  U.S.  and  all  of  its  MPLS  nodes 
domestically  The  remaining  70%  of  its 
international  nodes  are  provided  through 
partner  networks. 

Sprint  says  it  has  plenty  of  switching 
capacity  throughout  Europe  with  dozens 
of  Cisco  GRS  devices  deployed,  but  it 
needs  to  increase  bandwidth  to  keep 
pace  with  customer  demand. 

“The  amount  of  sales  we  have  had  this 
year  has  dwarfed  our  forecasts.  Our 
largest  international  deal  last  year  would¬ 
n’t  even  crack  our  top  10  of  international 
deals  this  year,”  Dooley  says. 

He  says  Sprint  is  winning  more  cus¬ 
tomers  that  need  200-  to  300-node  MPLS 


Virtually  impossible 

End-to-end  MPLS  VPN  QoS  through 
multiple  carriers  is  hard  to  achieve 
because  of... 

•  Inconsistent  QoS  provisioning  from  customer 
edge  to  customer  edge. 

•  Performance  statistics  differ  because  of  dissimilar 
measurement  techniques. 

•  Sub-optimal  inter-provider  QoS  profile/class 
mappings. 

•  Lack  of  interoperability  in  reporting  systems 
results  in  no  performance  path  visibility. 

•  SLA  enforcement  does  not  scale  or  becomes 
unmanageable  as  requirements  grow. 


interface  to  extend  switched  Layer  2  VPN 
services  came  up  at  the  recent  Supercomm 
2005  conference  in  Chicago  (DocFinder: 
8336). 

“There’s  a  lot  more  going  on  than  just  the 
Layer  3  VPNs,  so  we  really  need  a  more  gen¬ 
eral  MPLS-based  interconnect,”  Malis  says. 

After  the  initial  phase  is  released  in  the 
first  half  of  next  year,  the  forum  hopes  to 
release  updates  —  or  subsequent  phases 

See  MPLS,  page  28 


networks  that  span  the  globe.  One  such 
customer  is  Motorola,  which  last  quarter 
inked  a  three-year  deal  for  a  230-site 
MPLS  network  that  spans  40  countries 
across  five  continents.“This  is  representa¬ 
tive  of  the  five  or  six  bigger  deals  we’ve 
seen  recently”  he  says. 

Sprint  would  not  disclose  how  much  it 
has  invested  in  its  international  expan¬ 
sion  since  last  year.  But  this  year,  the  car¬ 
rier  has  earmarked  about  $300  million 
for  its  long-distance  networks,  which 
include  international  facilities. 

In  the  next  12  months  Sprint  is  plan¬ 
ning  to  add  MPLS  switches  to  beef  up 
network  reliability,  Dooley  says.The  addi¬ 
tional  expense  has  been  approved,  but 
the  carrier  has  yet  to  publicly  announce 
this  latest  upgrade,  he  says.  8 


Sprint  boosts  international  MPLS  net 
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VoIP  security  concerns  cannot  be  ignored 


Johna  Till  Johnson 


VoIP  security  is  beginning  to  get 
a  lot  of  attention.  But  is  its  visibili¬ 
ty  warranted?  In  June,  Gartner 
called  VoIP  security  concerns 
“over-hyped”  and  urged  IT  execu¬ 
tives  not  to  hold  off  on  VoIP 
deployment  because  of  such 
concerns. 

Yet  at  the  Black  Hat  conference 
in  Las  Vegas  late  last  month,  noted 
researcher  and  security  guru  Phil 
Zimmerman  —  inventor  of  the 
encryption  protocol  Pretty  Good 


Privacy  (PGP)  —  introduced  an 
architecture  to  deliver  encryption 
to  VoIP  phones,  positioning  it  as 
part  of  an  overall  requirement  to 
secure  critical  infrastructure. 

Who’s  right?  Are  VoIP  security 
vulnerabilities  overblown,  or  do  IT 
executives  need  to  be  concerned? 

My  take:  Yes,  and  yes.  I  tend  to 
group  security  vulnerabilities  into 
two  classes:  privacy  issues  and 
denial-of-service  (DoS)  issues.  In 
other  words,  bad  guys  might  see 
(and  abuse)  your  data  and 
resources,  or  they  might  make 
your  resources  unavailable  to  you. 

VoIP  privacy  concerns  encom¬ 
pass  things  such  as  eavesdrop¬ 
ping  and  what  used  to  be  called 
toll  fraud.  In  other  words,  some¬ 
one  might  listen  to  your  calls,  or 


hack  into  and  make  calls  from 
your  IP  PBX. 

VoIP  DoS  issues  encompass  IP 
telephony-specific  concerns  such 
as  Spam  over  Internet  Telephony 
as  well  as  vulnerability  to  overall 
data  network  security  breaches, 
including  client  or  server  slow¬ 
downs;  or  freezes  caused  by  virus¬ 
es  or  spyware,  distributed  DoS 
attacks  and  the  like,  which  make 
the  IP  telephony  system  unavail¬ 
able  to  users. 

Taking  these  threats  in  order, 
eavesdropping  is  less  of  a  con¬ 
cern  for  IT  managers  than  for  the 
general  public,  simply  because 
most  enterprise  VoIP  users  rely  on 
private  (and  relatively  protected) 
IP  networks  rather  than  the 
Internet.  IT  executives  still  need  to 


be  concerned  about  the  possibili¬ 
ty  of  internal  espionage;  a  tech- 
sawy  employee,  consultant  or 
other  third  party  has  ample 
access  to  the  IP  infrastructure. 
And  protecting  the  IP  PBX  from 
getting  hijacked  by  third  parties  is 
a  concern.  (One  reason  IT  execu¬ 
tives  often  express  skepticism 
about  Windows-based  servers  is 
that  they’re  perceived  as  more  vul¬ 
nerable  to  assault.) 

But  the  real  concern,  in  my 
book,  is  protection  against  DoS. 
Rolling  out  VoIP  in  the  absence 
of  a  proven  data  security  archi¬ 
tecture  is  basically  rolling  the 
dice  —  it’s  a  matter  of  time 
before  your  network  goes  down, 
taking  VoIP  with  it.  According  to 
recent  Nemertes  benchmarks  on 


security  best  practices,  most 
companies  are  actively  working 
to  beef  up  their  basic  security  but 
many  have  a  long  way  to  go. 
Enhancing  basic  infrastructure 
components  such  as  anti-mal¬ 
ware,  firewalls  and  VPNs  are 
among  the  top-funded  security 
initiatives  for  these  firms  (more 
than  80%  said  these  initiatives 
were  among  their  top  three  prior¬ 
ities).  The  bottom  line:  If  you’re 
rolling  out  VoIP  make  sure  your 
data  security  is  up  to  snuff. 

Johna  Till  Johnson  is  president 
and  chief  research  officer  at 
Nemertes  Research,  an  indepen¬ 
dent  technology  research  firm. 
She  can  be  reached  at 
johna@nemertes.  com. 
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—  every  six  to  nine  months  there¬ 
after. 

In  the  meantime,  some  carriers 
have  established  their  own  MPLS 
interconnect  services  in  which 
they  hammer  out  specific  whole 
sale  peering  arrangements  with 
other  carriers  to  ensure  service 
consistency  and  global  reach. 
InfoNet,  for  example,  rolled  out  its 
service  four  years  ago  to  extend 
the  reach  and  service  capabilities 
for  multinational  corporations  via 
global  classof-service  (CoS)  data 
services  across  multiple  IP  VPN 
backbones. 

BtNAccess,  a  retail  and  whole¬ 
sale  carrier  in  Reston,  Va.,  has 
MPLS  interconnect  agreements 
with  15  other  carriers  in  North 
and  South  America,  Asia,  Europe 


and  the  Middle  East  for  end-to- 
end  VPN  connectivity  to  35  coun¬ 
tries.  And  Global  Crossing  last  fall 
unveiled  its  iMPLS  service,  which 
allows  MPLS-based  service  pro¬ 
viders  to  essentially  resell  Global 
Crossing’s  IP  VPN  service  beyond 
their  own  regions  with  guaran¬ 
teed  QoS. 

“You  can  expect  feature  and 
CoS  and  QoS  transparency  con¬ 
sistent  with  RFC  2547  standards, 
provided  the  implementation  is 
done  properly  says  Anthony 
Christie,  chief  marketing  officer 
and  executive  vice  president  at 
Global  Crossing.  “Because 
[iMPLS]  is  a  product  of  the  whole¬ 
sale  side  of  the  house,  it  behooves 
us  to  make  sure  that  there  is  fea¬ 
ture  transparency  QoS,  CoS  and 
[service-level  agreements]  be¬ 
tween  networks.  It’s  not  just  a  way 
for  us  to  provide  an  extended- 


reach  capability  to  our  enterprise 
customers.” 

Christie  says  Global  Crossing 
has  about  20  partners  for  iMPLS. 

Carriers  say  MPLS  interconnect 
is  more  of  a  challenge  for  carriers 
than  it  is  for  corporations.  Billing, 
settlement  and  customer  SLA 
assurance  are  all  matters  carriers 
have  to  agree  on,  while  the  cus¬ 
tomer  usually  deals  with  only  one 
carrier  for  service  and  support. 

If  a  customer  doesn’t  receive 
contracted  SLAs,  some  carrier 
within  the  chain  won’t  get  paid. 

“All  these  [reach  and  QoS] 
things  are  addressed  as  you’re 
going  through  the  opportunity 
itself,”  says  Alessandro  Bucelli, 
MPLS  VPN  product  manager  at 
BtNAccess.  “Usually  companies 
that  are  considering  MPLS  VPNs 
are  intelligent  enough  to  realize 
that  one  company  can’t  provide 


Consistently  inconsistent 

If  packet  markings  between  different  service  providers  do  not  match  up,  QoS  could  be  disrupted. 


Customer  A's  VoIP  service 


Customer  B'sVPN  service 


Diff-Serv  1  EXP  0 

Q  A  regional  service 
provider  (RSP)  marks 
the  EXP  bits  in  customer 
B’s  MPLS  VPN  label  a 
value  of  0  with  a  Diff- 
Serv  QoS  value  of  1. 


B  But  a  global 
service  provider  (GSP) 
assigns  a  Diff-Serv 
code  point  value  of  2 
to  the  same  label. 


H  Similarly,  the  GSP 
assigns  customer  A's 
VoIP  path  an  EXP  of 
1  and  Diff-Serv  code 
point  of  2. 


□  And  the  RSP  at  the  receiving 
end  of  A’s  VoIP  transmission 
assigns  a  Diff-Serv  code  point 
of  3  to  EXP  1. 


you  connectivity  to  the  whole 
world.They  understand  the  whole 
partnership  model.” 

Some  analysts  say  MPLS  VPNs 
are  still  too  new  to  users  for  them 
to  be  concerned  about  inter-carri¬ 
er  service  consistency  They  also 
try  to  deal  with  only  one  or  two 
carriers,  not  several. 

“Most  enterprises  are  still  kind  of 
going,  ‘What’s  MPLS  again,  and 


how  is  it  going  to  help  me?’”  says 
Johna  Till  Johnson,  president  of 
Nemertes  Research  and  a  Net¬ 
work  World  columnist.  “Inter-carri¬ 
er  MPLS  is  sort  of  like,  ‘Wow,  that 
would  be  really  cool  if  I  could  fig¬ 
ure  out  why  I  needed  it.’  There’s 
no  absolutely  earth-shattering 
business  driver  for  multi-carrier 
MPLS  from  an  enterprise  stand¬ 
point.”  ■ 


Vonage,  wireless  carrier 
offer  last-mile  bypass 

BY  STEPHEN  LAWSON,  IDG  NEWS  SERVICE 

A  provider  of  high-speed  wireless  service  to  businesses  in  several  U.S. 
cities  is  selling  Vonage ’s  VoIP  service  along  with  its  data  connections. 

A  deal  announced  last  week  between  fixed-wireless  provider 
TowerStream  and  Vonage  is  intended  to  make  it  easier  for  businesses  to 
completely  bypass  traditional  carriers  for  data  and  phone  service. 

The  partnership  represents  an  alliance  of  upstarts  against  the  incum¬ 
bent  telecom  carriers,  which  traditionally  have  brought  in  a  lot  of  their 
revenue  and  profit  from  voice  services  and  T-l  lines  sold  to  businesses. 
VoIP  services  such  as  Vonage’s  are  making  steady  inroads  against  tradi¬ 
tional  carriers  through  low  prices  and  new  features. 

TowerStream  has  fixed  wireless  networks  in  parts  of  New  York,  Los 
Angeles,  Chicago,  San  Francisco,  Boston  and  the  Providence,  R.I.,  area. 
Its  customers  can  get  500K  bit/sec  to  hundreds  of  megabits  per  second 
of  bandwidth,  says  CEO  Jeff  Thompson. 

Equipment  at  the  customer’s  location  communicates  with  a  base  sta¬ 
tion  5  to  10  miles  away,  he  says.  Because  it  doesn’t  require  wires, 
TowerStream  doesn’t  have  to  lay  fiber  or  lease  capacity  on  a  carrier’s 
local  “last-mile”  network  to  reach  subscribers. 

TowerStream’s  service  is  priced  starting  at  $350  per  month;  the  com¬ 
pany  offers  a  1.5M  bit/sec  service  for  $500  per  month  as  an  alternative 
to  carrier  T1  lines.There  also  is  a  $500  setup  fee. TowerStream  owns  the 
customer  premises  equipment. 

TowerStream  customers  have  been  able  to  use  Vonage’s  service  over 
their  fixed-wireless  data  connections,  but  now  they  can  buy  the  two  ser¬ 
vices  as  a  package.  ■ 


Do  you  worry  about  .  .  . 


bringing  new  Network  IT  products  to  market? 
reaching  Network/IT  and  Corporate  Managers? 
accelerating  your  sales  cycle? 

getting  your  company's  message  in  front  of  a  powerful  audience  of  Network  IT  buyers? 


Stop  worrying  .  .  . 

when  you  sponsor  a  Network  World  Technology  Tour  and  Expo.  These  dynamic  live 
multi-city  events  will  bring  you  face-to-face  with  the  Network  World  community  —  the 
architects,  strategists,  decision-makers  and  buyers  for  today's  enterprise  networks. 

Network  World  is  now  accepting  sponsorship  bookings  for  2005  Technology  Tours  and 
Expos.  Sponsorships  are  limited  to  guarantee  a  dynamic  experience  for  both  sponsors 
and  attendees  so  act  now. 

Contact  Andrea  D'Amato,  National  Sales  Director,  Events  and  Executive  Forums,  at 

800-622-1108 ,  Ext.  6520  or  adamato@nww.com 
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F  YOU’RE  CONSIDERING  VOICE  OVER  IP  TELEPHONY,  CONSIDER  YOUR  OPTIONS: 
ONLY  FOUNDRY  NETWORKS  GIVES  YOU  A  TRUE  VENDOR  AGNOSTIC  SOLUTION  THAT 
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WORKS  WITH  THE  EQUIPMENT  YOU  CHOOSE  -  OR  ALREADY  HAVE.  SO  WHETHER 

YOU’RE  USING  AVAYA,  SIEMENS,  CISCO  OR  NORTEL,  FOUNDRY  NETWORKS  GIVES 


VOICE  TO  YOUR  NETWORK! 

Foundry’s  integrated  Power  over  Ethernet-  and  Quality  of  Service-based  switches  deliver  the  most  scalable,  secure  VoIP 
architecture,  with  the  lowest  latency  and  highest  performance  for  both  wired  and  wireless  IP  telephony.  Foundry  sup¬ 
ports  all  the  VoIP  features  you  need,  including  automatic  phone  discovery,  embedded  endpoint  security,  dynamic  L2-3 
QoS  support  and  wireless  mobility.  And  only  Foundry  lets  you  select  best-of-breed  or  low-cost  IP  phones,  conferencing, 
PBX,  and  voice/media  gateway  solutions  and  be  assured  of  full  compatibility. 

WANT  VOIP?  GET  FOUNDRY.  NO  COMPROMISE. 
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FOUNDRY 

NETWORKS 

The  Power  of  Performance 


VISIT  US  TODAY  AT  WWW.FOUNDRYNETWORKS.COM/VOIP 

OR  CALL  US:  1  8SS  TURBOLAN  INTERNATIONAL:  +1  40S.5S6.1700 


Foundry  Networks,  Inc.  is  a  leading  provider  of  high-performance  Enterprise  and  Service  Provider  switching,  routing  and  Web  traffic  management  solutions  including  Layer  2/3 
LAN  switches.  Layer  3  Backbone  switches.  Layer  4-7  Web  switches,  wireless  LAN  and  access  points,  access  routers  and  Metro  routers. 

©  2005  Foundry  Networks,  the  Foundry  logo,  Fastlron  SuperX,The  Power  of  Performance  and  Foundry  are  trademarks  of  Foundry  Networks,  Inc. 

All  other  marks  are  trademarks  of  their  respective  owners. 
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TECHHOUIfiY  UPDATE 

■  AN  INSIDE  LOOK  AT  TECHNOLOGIES  AND  STANDARDS 


DKIM  fights  phishing  and  e-mail  forgery 


BY  MILES  LIBBEY 

E-mail  fraud  is  a  global  problem  that 
plagues  consumers  and  businesses,  cost¬ 
ing  millions  of  dollars  in  direct  losses, 
technology  expenditures,  lost  productivi¬ 
ty  and  network  downtime.  With  phishing 
attacks  on  the  rise, leading  companies  are 
working  to  develop  e-mail  authentication 
protocols  that  protect  users  from  e-mail 
fraud. 

DomainKeys  Identified  Mail  (DKIM)  is  an 
e-mail  authentication  proposal  that 
strengthens  user  protection  from  e-mail 
forgery  and  increases  accountability  for 
spam  and  phishing  scams.  DKIM  defines  a 
domain-level  authentication  framework  for 
e-mail  using  public  key  cryptography  and 
key  server  technology  to  permit  verification 
of  the  source  and  contents  of  messages  by 
mail  transport  agents  or  mail  user  agents. 
The  goal  of  this  framework  is  to  prove  and 
protect  message  sender  identity  and  the 
integrity  of  the  messages  they  convey  while 
retaining  the  functionality  of  Internet  e-mail 
as  it’s  known  today 

The  specification  merges  Yahoo’s 
DomainKeys  and  Cisco’s  Internet  Identi- 


Got  great  ideas? 


■  Network  World  is  looking  for  great  ideas 
for  future  Tech  Updates.  If  you've  got  one, 
and  want  to  contribute  it  to  a  future  issue, 
contact  Senior  Managing  Editor,  Features  Amy 

Schurr  (asehurr@nww.coin). 


fied  Mail  e-mail  verification  technologies, 
which  have  similar  attributes.  Cisco  and 
Yahoo  submitted  the  combined  technolo¬ 
gy  to  IETF  last  month  for  consideration  as 
an  e-mail  industry  standard  and  to  help 
enable  industry-wide  adoption  of  the 
technology 

DKIM  uses  public  key  cryptography  to 
let  users  verify  and  maintain  message 
integrity,  and  identifies  legitimate  mes¬ 
sages.  The  proposed  standard  uses  DNS 
in  the  same  manner  as  DomainKeys, 
Yahoo’s  anti-spam  protocol,  which  is  in 
use  around  the  world.  DKIM  also  lever¬ 
ages  Cisco’s  Internet  Identified  Mail 
header-signing  technology,  ensuring  sig¬ 
nature  consistency  as  messages  are  sent 
through  networks. 

Big  benefits 

The  benefits  of  signing  e-mail  using 
DKIM  can  be  substantial  for  banks,  utili¬ 
ties,  e-mail  commerce  services  and  other 
companies  that  send  transactional  e-mail 
to  consumers.  Providing  customers  with  a 
means  to  detect  fraudulent  e-mail  can 
translate  directly  into  increased  user  satis¬ 
faction,  reduced  customer  care  costs  and 
strengthened  brand  reputation. 

To  sign  an  e-mail  with  DKIM,  an  e-mail 
administrator  first  creates  one  or  more 
public/private  key  pairs  using  free  soft¬ 
ware.  The  public  portions  are  put  into  the 
domain’s  DNS  records,  while  the  private 
portions  are  given  to  the  domain’s  sending 
mail  servers.  When  sending  a  message,  the 
mail  servers  use  a  private  key  to  create  a 
digital  signature  covering  the  message’s 
headers  and  body  which  is  inserted  in  the 


headers. 

When  the  recipient’s  e-mail  system  re¬ 
ceives  a  DKIM  message,  it  performs  a  DNS 
lookup  to  retrieve  the  domain’s  public 
key.  With  the  public  key  and  the  message 
contents,  the  server  can  verify  that  the  dig¬ 
ital  signature  is  valid,  thus  proving  that  the 
message  was  signed  by  an  authorized 
party,  meaning  it  is  not  a  forgery.  If  the 
recipient’s  e-mail  system  receives  a  mes¬ 
sage  that  does  not  contain  a  DKIM  signa¬ 
ture,  it  performs  a  DNS  lookup  to  deter¬ 
mine  if  the  domain  indicates  how  much 
of  its  e-mail  is  signed.  If  it  indicates  that  all 
messages  are  signed,  the  recipient  can  be 
certain  that  the  message  is  not  authentic. 

Trust  evaluation 

Once  a  message  has  been  determined  to 
be  legitimate,  the  recipient  system  can  use 
reputation  and  accreditation  systems  to 
evaluate  how  much  trust  should  be  given 
to  the  e-mail.  For  instance,  anti-spam  filters 
might  not  challenge  messages  from  a 
bank  as  much  as  those  from  a  gray-market 
pharmaceutical  e-commerce  vendor. 

Giving  recipient  systems  the  tools  to  dis¬ 
tinguish  between  fraudulent  and  legiti¬ 
mate  e-mail  will  make  it  more  difficult  for 
spammers,  phishers  and  other  fraudulent 
e-mail  senders  to  evade  anti-spam  filters. 
In  addition,  anti-spam  systems  can  use  the 
DKIM  information  to  make  more  accurate 
decisions  in  creating  safer  and  improved 
user  experiences  in  e-mail. 

Libbey  is  the  anti-spam  product  manager 
for  Yahoo  Mail.  He  can  be  reached  at 
mlibbey@yahoo-inc.  com. 


HOW  IT  WORKS: 

DomainKeys  Identified  Mail 

A  newly  proposed  IETF  e-mail  authen¬ 
tication  technology,  DKIM  combines 
DomainKeys  and  Internet  Identified 
Mail.The  specification  uses  public 
key  cryptography  to  let  users  verify 
and  maintain  message  integrity. 


Sending 
mail  server 


B 

Receiving 
mail  server 


pir*\ 


DNS 
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D  The  sending  domain  publishes  a  public  key  in  its 
DNS  record. 

B  The  sending  mail  server  digitally  signs  and  sends 
the  message. 

El  The  receiving  mail  server  retrieves  the  public  key 
from  the  sending  domain's  DNS  record.  It  verifies 
the  digital  signature  using  the  message  content 
and  the  key. 

Q  The  receiving  mail  server  delivers  the  e-mail  to  the 
end  user's  mailbox. 


Ask  Dr.  Internet  By  Steve  Blass 


Is  it  true  that  attack  software  for  exploiting 
Cisco  routers  was  publicly  released  at  a  recent 
hacker  conference? 

No  exploit  software  was  publicly  released.  A  recent 
conference  presentation  described  how  Cisco  IOS 
might  be  compromised  by  the  same  sort  of  buffer  over¬ 
flow  problems  that  cause  trouble  in  other  operating  sys¬ 
tems,  and  a  current  IOS  vulnerability  was  discussed. 
Cisco  released  an  advisory  addressing  a  denial-of-ser- 
vice  vulnerability  on  July  29  affecting  "all  Cisco  devices 


running  any  unfixed  version  of  Cisco  IOS  or  Cisco  IOS 
XR  code  that  supports,  and  is  configured  for,  IPv6."  (The 
advisory  is  available  at  www.networkworld.com, 
DocFinder:  8337.) 

Devices  running  Cisco  IOS  should  be  upgraded  to  a 
version  in  which  this  vulnerability  has  been  fixed.  If  you 
aren't  using  IPv6  in  your  network,  you  can  protect  your 
routers  by  ensuring  that  IPv6  is  not  configured.  On  a 
router  that  is  configured  for  IPv6,  do  this  by  issuing  the 
command  “no  ipv6  enable"  and  "no  ipv6  address”  on 
each  interface.  Cisco  is  providing  upgraded  software 


for  all  customers.  Those  with  service  contracts  should 
obtain  upgraded  software  through  regular  channels. 
Cisco  customers  without  service  contracts  should  con¬ 
tact  the  Cisco  Technical  Assistance  Center  and  be 
ready  to  provide  the  serial  number  for  the  routers  to  be 
upgraded,  along  with  the  URL  of  the  advisory,  to  receive 
a  free  upgrade. 

Blass,  a  network  architect  at  Change@Work  in 
Houston,  can  be  reached  at  dr.internet@changeat 
work.com. 
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Stormy  weather  softvAre 


'  eather  can  be  nasty  stuff.  As 
most  of  you  know  (particu¬ 
larly  if  you  live  in  Florida  or 
Tornado  Alley),  and  as  some  of  us 
have  experienced,  a  lightning  storm 
can  easily  become  a  recipe  for 
spending  lots  of  money  and  enjoy- 
INSIDE  THE  ing  sleepless  nights. 

NETWORK  So  what  can  you  do?  Well,  knowing 
MACHINE  when  a  serious  storm  enters  your 
area  can  make  a  huge  difference  to 


GEARHEAD 


Mark  Gibbs  how  and  when  you  handle  shutting 
down  and  unplugging  systems.  You 
could  watch  weather  forecasts  on  TV  (sketchy  at  best)  or 
check  an  online  weather  service. The  problem  with  the  lat¬ 
ter  is  you  have  to  actually  have  someone  monitoring  the 
service  for  weather  in  your  locality  Here’s  a  great  alterna¬ 
tive:  StormPredator  from  IntelliWeather. 

StormPredator  is  a  Windows  2000  or  XP  (Home  or  Pro) 
application  (it  also  will  run  under  Microsoft  Virtual  PC  for 
Macs)  that  downloads  radar  data  from  the  national  Nexrad 
Radar  network  and  tracks  weather  in  near  real  time.  The 
really  cool  thing  is  StormPredator  can  detect  when  bad 
weather  enters  your  area  and  alert  you. 

Nexrad  (which  stands  for  “Next  Generation  Radar”)  mea¬ 
sures  precipitation  and  wind  speed.  The  system  transmits 
radar  pulses  that  are  reflected  back  by  water  in  the  atmos¬ 
phere,  trees,  buildings  and  so  on.  By  analyzing  the  received 
pulse  strength  along  with  the  time  it  takes  for  the  pulse  to 


travel  to  whatever  reflects  it  (what  we’ll  call  the  target)  and 
back  again,  and  the  Doppler  shift  (the  pulse’s  frequency 
shift  due  to  the  speed  of  movement  of  the  target),  then 
removing  the  “noise”  created  by  the  reflections  from  sta¬ 
tionary  targets,  the  Nexrad  system  can  measure  the  reflec¬ 
tivity  direction  of  movement,  and  speed  of  precipitation. 

There  are  a  lot  more  technical  issues,  including  the 
removal  of  signals  returned  by  static  objects,  such  as  build- 

Storm Predator  can  detect 
when  bad  weather  enters  your 
area  and  alert  you. 

ings  and  trees,  as  well  as  the  different  types  of  reflectivity 
and  conditions  that  weather  radar  can  measure.  For  those 
of  you  who  wish  to  wade  through  the  details,  the  Weather 
Underground  has  a  very  good  primer  on  weather  radar. 

After  you  install  StormPredator  (very  easy),  you  select 
your  location,  and  you  will  be  presented  with  a  novel  dis¬ 
play:  a  simulation  of  an  old-fashioned  radar  scope  com¬ 
plete  with  a  sweeping  beam  (you  can  switch  this  off). 

There  are  a  lot  more  configuration  options,  the  most 
important  of  which  is  to  specify  a  scan  zone  —  a  circular 
area  of  whatever  size  you  please  centered  on  your  location. 
You  then  set  the  threshold  for  precipitation  level  and  sensi¬ 
tivity  at  which  you  want  alerts  to  be  generated.  Alerts  can 
be  displayed  on  the  monitor  with  an  optional  warning 
sound  or  include  e-mail  and  smartphone  messages. 


Once  a  storm  is  detected  and  you’ve  been  alerted,  you 
can  predict  the  path  and  arrival  of  a  storm  cell  at  a  given 
location  using  the  track  function.  You  select  the  cell’s 
approximate  center  at  three  previous  times,  and  Storm¬ 
Predator  will  display  the  projected  path  as  a  trapezoid, 
where  the  center  is  the  most  likely  path  and  the  boundary 
of  the  trapezoid  is  the  likely  variance  of  the  path.  Clicking 
within  the  boundary  displays  the  approximate  arrival  time 
of  the  cell  at  that  position. 

StormPredator  also  can  display  loops  of  recent  radar 
data,  and  download  forecasts  and  maps  of  weather  warn¬ 
ings.  It  also  automatically  saves  regular  snapshots  in  PNG  or 
JPEG  format  that  can  be  uploaded  to  a  Web  server  for  inte¬ 
gration  with  other  content. 

At  just  about  $40  this  is  an  awesome  tool  for  weather 
freaks  and  nervous  IT  groups. 

Our  other  topic  this  week  is  Gearblog:  As  you  have  hope¬ 
fully  noticed  (we  wonder  how  you  could  not  have;  we  have 
shamelessly  pushed  it  everywhere  we  could),  we  have  a 
blog  (along  with  around  30  million  other  masochists). As  it 
has  been  going  for  some  time,  we  wonder  what  you  think 
of  it.  Do  you  read  it?  Is  it  useful?  Entertaining?  Informative? 
Boring?  Are  the  blog  items  with  links  for  Gearhead  and 
Backspin  useful?  What  would  make  you  really  happy  if  we 
were  to  add,  subtract  or  change?  Please  let  us  know. 

Comments  to  gearhead@gibbs.com.  Check  Gearblog 
( www.networkworld.com/weblogs/gearblog)  for  links 
and  notes  for  this  column. 


The  scoop:  LifeBook  P1500  series,  by  Fujitsu,  starts  at  $1,500. 
What  it  is:  A  pen-enabled  convertible  notebook,  the  PI 500  series 
is  an  upgrade  of  Fujitsu’s  P1000  line  of  ultra-portable  notebooks, 
with  improved  features  and  Windows  XP  instead  of  the  Tablet  PC  operating  system. 
The  notebook  features  an  8.9-inch  touchscreen  that  lets  you  use  your  fingers  or  any 
regular  pointing  implement  to  input  data.  (No  special  pens  are  needed,  which 
often  get  lost). 

The  2.2-pound  notebook  is  powered  by  an  Intel  Pentium  M  Ultra  Low  Voltage 
processor  (up  to  1.2  GHz),  has  up  to  1G  byte  of  system  memory  (minimum  of  256M 
bytes), a  30G-  or  60G-byte  hard  drive,  integrated  802. 1  la/b/g  wireless  LAN  connectiv¬ 
ity  and  a  port  replicator/docking  station  that  provides  additional  ports  and  monitor 
connections. 

The  system’s  regular  battery  provides  about  three  to  four  hours  of  life,  and  the 
extended  battery  (which  also  juts  out  to  provide  a  comfortable  way  to  handle  the 
notebook  in  slate  mode)  offers  between  seven  and  eight  hours  of  life,  Fujitsu  says.  It 
is  packed  with  additional  ports  and  interfaces,  including  a  Compact  Flash  card  slot, 
a  Secure  Digital  card  slot,  two  USB  2.0  ports,  an  RJ-1 1  modem  port  and  RM5 
Ethernet  port. 

The  PI 500  is  aimed  at  markets  such  as  healthcare  and  field  force  automation,  and 
workers  who  spend  a  lot  of  time  using  forms-based  processing.  It  is  designed  to  be 
carried,  meaning  most  data  input  will  be  done  through  the  touchscreen  and  pen. 

Corporations  will  appreciate  the  security  features  on  the  notebook,  which  include 
an  integrated  fingerprint  scanner  for  authenticating  users  onto  the  device,  and  an 
embedded  Trusted  Platform  Module  that  lets  users  encrypt  file  data. 

Why  it’s  cool:  Many  of  the  downsides  of  a  tablet  (odd  operating  system  issues,  aver¬ 
age  handwriting  recognition  and  the  specialized  pen  that  gets  lost)  are  eliminated 
through  the  use  of  the  P1500’s  touchscreen  that  can  be  used  with  your  finger  or  reg¬ 


ular  pointing  device.  For  handwriting  recog¬ 
nition,  the  system  comes  bundled  with  Ever- 
Note  Plus,  a  note-taking  application  that  lets 
you  store  handwritten  notes,  Web  clips  and 
other  notes  or  lists,  similar  to  the  Microsoft 
OneNote  application  found  on  Tablet  PCs. 

More  impressive  is  the  bundled  RitePen 
application,  which  enables  handwriting 
recognition  on  any  other  application.  For 
example,  users  can  open  up  an  Internet  Ex¬ 
plorer  browser  and  write  the  URL  of  a  Web  site 
in  longhand,  and  the  application  will  convert  it 
to  text  in  the  URL  window  In  our  tests,  we  opened 
an  instant  messaging  application  and  sent  IMs  by  con¬ 
verting  our  handwriting  into  the  text  window. 

The  style,  design  and  extremely  light  weight  of  the 
notebook  will  create  oohs  and  ahhs  around  the  office. 

Some  caveats: 

It  is  designed  for  workers  who  will  use  it  mainly  as  a  slate  tablet,  and  use  the  touch¬ 
screen  for  text  input,  but  we  have  to  take  points  off  for  the  system’s  tiny  keyboard. 
Fujitsu  has  done  an  admirable  job  in  squeezing  as  many  keys  as  possible  into  its 
QWERTY  keyboard,  but  users  who  do  a  lot  of  typing  will  feel  uncomfortable  with  its 
size.  This  can  be  alleviated  by  connecting  a  USB  keyboard  to  the  system  when  it’s 
docked,  but  that  reduces  mobility  Another  trade-off  is  the  lack  of  an  optical  drive  on 
the  system,  which  means  installing  applications  with  a  CD-ROM  and  watching  DVDs 
with  the  notebook  are  harder  to  do.  Fujitsu  has  an  optional  external  optical  drive  for 
the  system  that  connects  via  USB  port,  but  that  becomes  an  extra  thing  to  carry 
around  if  you  want  those  features. 

Grade:  ickicki  (out  of  five) 

Shaw  can  be  reached  at  kshaw@nww.com. 


The  LifeBook  1500  gets 
high  marks  for  its  overall 
style,  design  and  its  light 
weight 
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SDLT  600  Results  : 


High  Capacity  : 
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In  repeated  time  trials,  the  SDLT  600  never  reached  the  cheese,  or  even  left  the  starting  line 
for  that  matter.  Perhaps  tapes  don’t  like  cheese.  However,  as  for  data  backup  capacity,  the 
SDLT  600  is  a  clear  winner.  It  has  more  capacity  and  more  speed  than  LTO-2  and  AIT-3.  It  also 
includes  DLTSage™  diagnostic  management  software  and  DLT/ce™  archival  WORM  functionality. 
How  do  we  know?  It’s  been  tested.  For  more  info  and  to  see  the  whitepaper,  visit  DLTtape.com. 
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Jericho  winner  paints 
new  security  picture 

The  first-place  entry  in  the  Jericho  Forum’s  competition 
for  a  new  answer  to  security  maps  neatly  to  the  forum’s 
vision  of  networks  that  aren’t  dependent  on  Chinese 
walls.The  competition,  in  association  with  the  Black  Hat  con¬ 
ference  group,  challenged  “any  team  of  technology  experts  to 
design  a  secure  architectural  solution  that  is  open,  interopera¬ 
ble,  viable  and  operates  in  a  de-perimeterized  environment.” 

Principally  composed  of  large  companies,  the  forum 
argues  that  perimeter  defenses  have  been  rendered  useless 
by  Web  and  e-mail-based  attacks,  and  that  hardened  perime¬ 
ters  are  “at  odds  with  current  and/or  future  business  needs.” 

The  companies,  frustrated  by  what  they  see  as  continued 
industry  focus  on  the  broken  perimeter  model,  have  banded 
together  to  influence  security  thinking,  as  well  as  product 
direction  and  development,  with  this  competition  an  impor¬ 
tant  step. 

The  first-place  entry  was  from  Thomas  Olovsson  and  Jamie 
Bodley-Scott  from  AppGate  Security  Their  visiomThe  central 
firewall  complex  is  replaced  by  a  set  of  distributed  firewalls 
that  are  placed  on  all  clients  and  servers. These  firewalls  are 
centrally  controlled  and  can  dynamically  be  configured  to 
allow  or  deny  traffic  in  the  network.” 

A  typical  use  would  be  users  connect  to  a  gateway  called  a 
primary  point  of  interface,  and  go  through  an  identification/ 
authentication  dance  (single  sign-on);  services  are  requested 
and  the  system  checks  on  access  authorization  and  service 
availability  and  then  passes  on  to  application  servers  infor¬ 
mation  about  the  users’  identity  and  access  rights  (the 
servers  and  services  remain  invisible  to  unauthorized  users); 
application  servers  grant  access  to  bona  fide  users  and  block 
access  for  all  others;  traffic  is  encrypted  if  needed. 

To  address  the  challenge’s  viability  requirement,  Olovsson 
and  Bodley-Scott  propose  use  of,  in  part,  commonly  available 
technologies:  Kerberos  for  authentication  and  authorization; 
LDAP  for  centrally  storing  credentials;  and  SSL.SSH  and 
IPSec  for  traffic  encryption.  Other  aspects  of  the  architecture 
draw  from  AppGate’s  managed  portal  technology 
“Assuming  each  object  can  protect  itself,  the  overall  securi¬ 
ty  level  achieved  in  this  system  can  be  significantly  higher 
than  before,”  write  Olovsson  and  Bodley-Scott.  ‘A  major  rea¬ 
son  for  this  is  that  all  systems  are  now  protected  against  hos¬ 
tile  traffic  regardless  of  its  origin.” 

It  is  a  compelling  story  that,  as  some  of  the  judges  in  the 
competition  wrote, seems  practical.  Current  firewalls  would 
be  redeployed  as  central  systems  to  collect  data  used  for 
intrusion  detection  and  prevention. 

While  the  Jericho  Forum’s  basic  ideas  are  viewed  by  some 
as  radical  (see  www.networkworld.com,  DocFinder  8259),  if 
nothing  else  the  group’s  push  is  generating  some  important 
soul-searching  that  should  benefit  us  all. 

—  John  Dix 
Editor  in  chief 
jdix@nww.com 


Firewalls  tumbling  down? 

Regarding  “Are  firewalls  expendable?”  (www.network 
world.com,  DocFinder:  8322):  I  suspect  the  debate  is 
being  marred  by  the  assumption  that  de-perimeteri- 
zation  is  equivalent  to  the  death  of  the  firewall.This  is 
like  saying  that  eliminating  city  walls  meant  elimi¬ 
nating  locks,  doors  and  borders. 

The  Jericho  Forum  wants  to  develop  a  world  with¬ 
out  corporate  perimeters  by  requiring  ISPs  and  net¬ 
work  providers  to  deliver  cleaner  network  services. 
One  might  call  this  macro-perimeterization.  At  the 
same  time,  individuals  and  corporations  will  be 
moving  perimeters  inward  to  protect  their  critical 
information  assets.  One  might  call  this  micro- 
perimeterization. 

None  of  us  on  the  Jericho  Forum  want  to  achieve 
anarchy  Try  to  imagine  the  discussions  that  went  on 
in  the  council  of  London  when  the  first  “idiot”  pro¬ 
posed  tearing  down  the  city  wall. The  noise  from  the 
naysayers  was  probably  deafening  and  just  as  ill  con¬ 
sidered.  Actually,  we  are  envisioning  a  world  where 
everyone  has  implemented  security  models  that 
negate  the  need  for  an  electronic  city  wall. 

The  challenge  of  de-perimeterization  will  require 
governments,  vendors,  users  and  corporations  to 
work  in  a  new,  more  empowering  manner  that  relies 
on  new  models  and  means  of  electronic  trust.  We 
cannot  continue  to  operate  under  the  assumption 
that  the  Visigoths  are  at  our  city  walls;  we  need  to  take 
control  of  the  “countryside”  and  bring  order  inside 
our  electronic  borders. 

Adrian  Seccombe 
Chair, Trust  Model  Working  Group 
Jericho  Forum 
Guildford,  UK. 

Are  firewalls  expendable?  No,  not  if  you  are  at  all 
rational.  But  one  part  of  this  recent  publicity  stunt  is 
that  it  is  finally  recognized  that  internal  networks  are 
becoming  increasingly  hostile  and  PCs  (especially 


Windows),  servers  (all  types),  applications  and 
appliances  need  firewalls  in  addition  to  perimeter 
defenses.  It  is  no  longer  sufficient  just  to  watch  the 
perimeter. 

David  Anderson 
Calgary  Alberta 

While  the  Jericho  Forum  is  absolutely  correct  that 
new  security  solutions  need  to  be  developed  to  pro¬ 
tect  resources  within  the  network,  promoting  the 
notion  that  companies  should  retire  their  firewalls  is 
irresponsible  and  negligent.  A  thorough  inspection 
of  the  data  security  records  of  some  of  the  forum’s 
members  (for  example,  Eli  Lilly)  might  lead  some  to 
believe  that  they’ve  already  retired  their  firewalls  — 
I  would  not  recommend  taking  security  advice  from 
someone  with  their  track  record.  The  notion  that 
companies  should  not  secure  their  network  perime¬ 
ters  is  entirely  brain-dead  and  dangerous  to  the  secu¬ 
rity  and  privacy  of  everyone’s  information  —  shock¬ 
ing  in  a  year  that  has  seen  so  many  high-profile  cases 
of  data  security  breaches,  including  from  the  very 
entities  that  are  promoting  this  idea. 

Troy  Casey 
Atlanta 

More  security  needed 

Yourstory“Open  source  vs. Windows:  Security  debate 
rages”  (DocFinder:  8323)  leaves  out  many  areas  of 
security  What  about  on-the-fly  document  encryption 
and  e-mail  encryption?  For  Linux  to  be  a  truly  viable 
solution,  it  needs  to  match  Windows  in  every  area  of 
security,  including  that  which  is  available  in  end-user 
applications.  What  I  have  seen  so  far  is  mostly  man¬ 
ual,  geek-oriented  security  that  would  be  very  hard  to 
convince  regular  users  to  use. 

Glenn  Gettinger 

Terre  Haute,  Ind. 

E-mail  letters  to  jdix@nww.com  or  send  them  to  John  Dix,  editor  in 
chief,  Network  World,  1 1 8  Turnpike  Road,  Southborough,  MA  01772. 
Please  include  phone  number  and  address  for  verification. 
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ON  COMMUNICATIONS 
Nick  Lippis 


ABOVE  THE  CLOUD 

James  Kobielus 


Can  Juniper  play  part  in  trusted  networks? 


Trusted  networking  is  changing  the  IT  securi¬ 
ty  and  network  industries  as  it  embeds 
access  control,  threat  defense  and  contain¬ 
ment,  and  risk  mitigation  deeply  into  the  network 
fabric.  Cisco,  HR  Nortel,  Extreme  Networks, 
Foundry  Networks,  3Com  and  Enterasys  have 
made  security  programs  top  priorities.  Symantec, 
Trend  Micro,  McAfee  and  Computer  Associates 
have  focused  on  their  niche  in  the  trusted  net¬ 
works  market  and  partnered  with  large  enterprise 
players.  All  of  the  major  service  providers  now 
offer  managed  firewall, VPN  and  IDS/IPS  services. 
But  it  is  hard  to  tell  whether  one  company  in  par¬ 
ticular  —  Juniper  Networks  —  will  be  a  factor  in 
trusted  enterprise  networks. 

Scott  Kriens,  Juniper  chairman  and  CEO,  has 
focused  on  the  enterprise  market  in  his  speeches 
and  acquisitions.  Juniper  recently  acquired 
Feribit  and  Redline,  and  inked  a  new  partnership 
with  Avaya  in  the  fast-growing  IP  telephony  space. 
Redline  is  nicely  positioned  in  the  red-hot  Web 
application  acceleration  market,  and  its  2004  $4 
billion  acquisition  of  NetScreen  gives  it  a  foothold 
in  the  enterprise  market,  as  well.  Juniper’s  net  rev¬ 
enues  for  the  second  quarter  of  2005  were  $493 
million,  compared  to  $306.9  million  for  the  same 


period  last  year. 

With  all  this  going  for  it,  why  would  I  question 
whether  Juniper  could  be  a  factor  in  the  trusted 
networks  market?  Because  there  are  a  few  issues 
that  give  me  pause  when  I  consider  Juniper’s 
potential  corporate  network  success: 

•  Lack  of  direct  corporate  relationships. 
Netscreen’s  products  were  distributed  to  the 
enterprise  market  mostly  through  service 

Juniper’s  strategy  rele¬ 
gates  it  to  an  appliance- 
based  security  approach. 

providers.  In  acquiring  Netscreen,  Juniper  gets 
another  set  of  products  to  sell  to  service 
providers,  rather  than  build  and  enhance  corpo¬ 
rate  relationships. 

•  Product  strategy.  Juniper’s  Redline  acquisi¬ 
tion  is  Layer  4  through  7  appliances.  Juniper  does 
not  own  any  Layer  2  products.  Layer  2  is  becom¬ 
ing  a  platform  on  which  trusted  network  services 
are  hosted.  Look  at  Cisco’s  Catalyst  switches  and 
Network  Admission  Control,  Nortel’s  Ethernet 
Routing  Switch  Portfolio  with  Threat  Protection 


System,  ProCurve  Networking  by  HP’s 
Interconnect  switches  with  Virus  Throttle, 
Extreme’s  switches  with  Clear-Flow  security  tech¬ 
nology  and  Foundry’s  switches  with  IronShield 
security  technology  All  deliver  some  form  of  net¬ 
work  access  control  to  stop  the  propagation  of 
exploits  before  they  enter  the  network.  This  hole 
in  Juniper’s  product  strategy  relegates  it  to  an 
appliance-based  security  approach. 

•  Making  the  jump.  No  company  in  the  post- 
1984  divestiture  world  has  been  able  to  success¬ 
fully  leap  from  service  provider  equipment  man¬ 
ufacturer  into  the  enterprise  market.  Lucent  sold 
Avaya  to  focus  on  the  service  provider  market 
because  it  couldn’t  serve  both.The  door  just  does 
not  seem  to  swing  both  ways. 

For  sure,  Juniper  is  on  a  roll  and  has  market 
attention.  But  the  question  remains:  Is  Juniper  a 
niche  trusted  networks  player  or  a  major  influ¬ 
ence  and  force? 

Lippis  consults  to  CIOs  of  Global  2000  com¬ 
panies  and  their  directors  reports  on  network 
architecture  development  and  funding.  He  pub¬ 
lishes  the  Lippis  Report  (www.lippis.com)  and 
can  be  reached  at  nick@lippis.com. 


Identity  theft  threatens  federation 


Identity  theft  is  fast  becoming  the  new  bete 
noire  of  the  cyberworld,  crowding  out  spy- 
ware,  spam  and  viruses  for  that  dubious 
honor.  During  the  past  several  months,  the  media 
have  splashed  increasingly  frightening  cover  sto¬ 
ries,  consumer  alerts  and  other  breaking  news 
about  people  who’ve  had  their  identities 
spoofed,  credit  cards  hijacked  and  assets  looted 
by  unseen  strangers  lurking  on  the  Internet. 

Amid  the  growing  hysteria,  the  identity-man¬ 
agement  industry  sees  a  big  black  eye  in  the 
making,  and  it’s  beginning  to  formulate  strategies 
for  identity  theft  prevention,  detection  and  reme¬ 
diation.  For  example,  in  June  Liberty  Alliance 
formed  a  group  to  develop  best  practices  to  help 
businesses  and  consumers  prevent  online  iden¬ 
tity  fraud.  In  a  similar  vein,  Microsoft  recently 
announced  a  retooled  identity-management  fed¬ 
eration  strategy  —  the  Identity  Metasystem  — 
that  underscores  the  need  for  identity-theft  and 
privacy  protection. 

The  unspoken  subtext  behind  these  initiatives 
is  that  trust  —  the  foundation  of  identity-man¬ 
agement  federation  —  is  in  jeopardy  if  the 
industry  doesn’t  proactively  address  identity 
theft  on  many  levels.The  stakes  couldn’t  be  high¬ 
er.  What’s  most  worrisome  is  the  growing  preva¬ 
lence  of  phishing,  pharming  and  other  social¬ 
engineering  ploys  to  steal  user  information. 
These  frauds  strike  at  the  very  heart  of  the  feder¬ 
ation:  users’  trust  in  the  authenticity  of  identity 
providers.  If  you  can’t  trust  that  the  party  to 
whom  you’re  presenting  credentials  is  in  fact 


what  it  claims  to  be,  then  nothing’s  truly  secure. 

Likewise,  well-publicized  break-ins  to  corporate 
databases  have  further  shaken  people’s  trust  in 
the  safeguarding  of  critical  personal  identity  data. 
And  massive  theft  of  personal  data  creates  anoth¬ 
er  trust  loss:  Identity  providers  who’ve  been  vic¬ 
timized  can  no  longer  trust  that  the  individual  pre¬ 
senting  credentials  is  who  he  or  she  claims  to  be. 

In  the  face  of  never-ending  identity  thefts,  the 
only  way  out  of  this  downward  spiral  is  to  con¬ 
tinue  reissuing  new  credentials  to  affected  users, 
but  only  after  reputable  agents  have  proofed 

The  industry  realizes 
standards  alone  aren’t  the 
answer  to  ID  theft. 

those  users  to  strong  assurance,  and  only  if  the 
new  credentials  rely  on  biometrics  for  strong 
authentication.  Clearly,  this  theft-unfriendly  iden¬ 
tity-management  environment  is  a  long  way 
from  being  implemented  in  the  real  world  and 
would  be  quite  expensive,  complex  and  cum¬ 
bersome  to  universally  deploy 
Some  have  argued  that  federated  identity-man¬ 
agement  is  a  fundamentally  flawed  approach 
that  encourages  identity  theft.  Nothing  could  be 
further  from  the  truth. There’s  nothing  inherently 
unsecure  about  federation  protocols,  such  as 
Security  Assertion  Markup  Language  and  Liberty 
Alliance  Identity  Federation  Framework,  or  the 
way  vendors  and  users  have  implemented  them. 


Rather,  most  identity  theft  originates  in  the  mas¬ 
sive  online  market  for  bulk  user  personal  data 
that  many  consumer-facing  businesses  collect  in 
normal  operations.  In  addition,  companies,  carri¬ 
ers  and  other  identity  providers  frequently 
implement  lax  controls  on  external  access  to 
identity  information  in  their  databases  and 
directories,  encouraging  hack  attacks. 

The  federated  identity-management  industry 
isn’t  the  only  sector  of  our  economy  that’s  look¬ 
ing  for  solutions  to  the  multifaceted  problem  of 
identity  theft.  But  the  federated  identity-manage¬ 
ment  market  realizes  this  is  a  bread-and-butter 
issue  that  threatens  to  overshadow  all  efforts  to 
create  a  universal  trust  environment  for  interop¬ 
erable  e-business. 

To  its  credit,  the  industry  realizes  that  technical 
standards  alone  aren’t  the  answer  to  identity 
theft  and  fraud.The  threat  is  so  multifaceted,  per¬ 
vasive  and  stubborn  that  it  must  be  addressed 
with  federated  identity-management  best  prac¬ 
tices  that  also  take  into  account  business,  legal, 
consumer  education  and  other  considerations. 
A  cross-disciplinary  approach  to  identity  theft 
protection  —  not  purely  technical  approaches 
—  should  be  the  ongoing  focus  of  Liberty 
Alliance  and  other  industry  groups. 

Kobielus  is  a  senior  technical  systems  analyst 
at  Exostar  LLC,  a  B2B  trading  exchange  sewing 
the  aerospace  and  defense  industry.  He  can  be 
reached  at  (703)  924-6225  or  james_ 
kobielus@hotmail.  com. 
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to  fill  two  critical  roles  in  his  IT  organization  at  Northwestern.  Mutual  —  one  in  identity  management  and  one  In 
mainframe  system  support.  Zweig.  vice  president  of  IT  for  the  Milwaukee  firm,  began  to  get  antsy  when'fhose slots 
had  not  .been  filled  in  the  usual  timeframe  of  two  to  three  months..  "It  was  taking  us  about  five  to  six-plus  months, 
double  What  1  would  like  to  see.”  he  says.  ", 

In  itself,  that  might  not  seem  like  a  big  deal,  but  Zweig  has  his  eye  on  the  bigger  picture.  As  vice  president  of  advo¬ 
cacy  and  communities  of-  interest  for  the  Society  for  Information  Management  -(SIM),  lie  heads  up  a  research  pro¬ 
ject  that  is  examining  the  combined  effects  of  radfeally  dropping  enrollment  in  IT  programs  at  the  undergraduate 
level  and  the  first  wave  of  baby  boomer  retirements.  “Between  the  retirements  that  are  coming  and  the  reduction 
in  computer  science  students,  we're  in  a  very  difficult  position.'  he  says. 

Zweig  is  part  of  a  growing  number  of  IT  leaders  who  are  concerned  it  will  be  increasingly  difficult  to  find  .people 
with  hot  skills  such  as  project  management.  Without  enough  future  IT  professionals  in  the  pipeline  —  and  with 
thousands  of  older  employees  leaving  the  workforce  —  the  ITS,  could  be.  left  high  and  dry  when  it  comes  to  tech 
nit) logy  innovation.  And  that  could  sap  economic  growth. 

Gartner  estimates  six  out  of  10  corporate  IT  professionals  will  assume lltlSiness-faciiig  roles  by  2010.  By  that  sfttnt 
year,  IT  organizations  at  midsize  and  large  companies  will  beat  least  one-third  smaller  than  they  were  in  .20(10 
according  to  Gartner.  In  five  years.  10". i  to  15"  ,  of  IT  professionals  will  drop  out  of  the  field  altogether,  the  firm 
forecasts.  These  predictions  portend  a  clouded  future  for  an  important  sector  of  the  ITS.  economy. 

"Where  will' t he  next  wave  of  tech 


As  the  first  wave  of  baby 
boomers  begins  to  retire  in  2008,  20%  of 
human  resources  managers  who  participated  in  a 
January  Deloitte  survey  said  they  anticipate 


nology  creation  come  from?  Will 
the  ITS.  In-  able  to  sustain  its 
leadership?  What  will  happen 
if  there's  no  one  left  to  hire 
herd?"  says  Nancy  Markka 
past  president  of  SIM  and  a 
current  board  member,  Markin 
was  previously  a  Lit)  at  Arthur 
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Declining  enrollment 

With  the  pain  of  the  recession’s 
widespread  layoffs  barely  in  the 
past,  it  is  hard  to  believe  an  IT 
worker  shortage  could  again  be 
just  around  the  corner.  Five  years 
ago,  the  business  and  technical 
press  were  full  of  stories  about 
the  lack  of  skilled  IT  profession¬ 
als.  The  topic  was  a  perennial 
favorite,  right  up  until  the  econo¬ 
my  tanked. 

But  the  signposts  to  a  coming  IT 
worker  shortage  are  rooted  in 
fact.  The  fact,  for  example,  that 
undergraduate  enrollment  in 
computer  science  programs  has 
dropped  7%  for  each  of  the  last 
two  years,  according  to  the 
Taulbee  Survey  of  the  Computing 
Research  Association  (CRA). 
Further  up  the  pipeline,  the  num¬ 
ber  of  students  who  declared 
their  major  in  computer  science 
has  declined  for  the  past  four 
years  and  is  now  39%  lower  than 
in  the  fall  of  2000. 

Kate  Kaiser,  associate  professor 
at  Milwaukee’s  Marquette 
University,  teaches  a  basic  com¬ 
puter  science  course,  among  oth¬ 
ers.  “In  2001,  this  class  had  two 
sections  and  48  students.This  fall 
I  had  one  section  and  12  stu¬ 
dents,”  says  Kaiser,  who  is  con¬ 


ducting  interviews  with  IT  man¬ 
agers  as  part  of  the  SIM  research 
project.  “It’s  too  bad  —  I  think 
everyone  should  love  this  field,” 
she  says. 

The  steep  decline  in  IT  students 
is  at  least  partly  attributable  to  a 
largely  unseen  but  persuasive 
factor:  parents.  Just  a  few  years 
ago,  technology  was  a  glamorous 
destination,  but  thanks  to  its  role 
in  the  dot-com  boom,  many  now 
see  it  as  a  dead  letter.  The  per¬ 
ception  is  that  all  the  good  IT 
jobs  are  in  India  and  China,  and 
they’re  not  coming  back  any  time 
soon. “Parents  influence  the  field 
their  kids  go  into.  Right  now,  they 
view  IT  as  too  unstable,”  says 
Diane  Berry,  managing  vice  presi¬ 
dent  for  Gartner’s  human  capital 
management  practice. 

“The  adults  in  these  kids’  lives 
are  perpetrating  the  wrong  infor¬ 
mation.  That  is  only  making 
things  worse,”  says  Joey  George, 
professor  in  the  MIS  department 
at  the  College  of  Business,  Florida 
State  University,  in  Tallahassee. 
“These  jobs  are  starting  to  come 
back.” 

No  cause  for  concern? 

In  fairness,  some  people 
believe  the  alarms  about  a  loom¬ 


ing  IT  worker  shortage  are  akin 
to  Chicken  Little’s  warnings 
about  the  sky  falling.  John 
Glaser,  vice  president  and  CIO 
for  Partners  Healthcare  System 
in  Boston,  is  not  currently  expe¬ 
riencing  a  crunch,  and  he’s  not 
overly  concerned  about  the 
dropping  rates  of  computer  sci¬ 
ence  students,  either. 

“It  is  not  clear  to  me  how 
much  of  an  impact  [the  declin¬ 
ing  IT  student  enrollment]  will 
have.  Many  of  our  technical  peo¬ 
ple  received  their  education  at 
community  colleges,  vocational 
schools  or  through  on-the-job 
training  as  they  shift  careers.  I 
don’t  know  how  many  of  our 
recent  hires  have  followed  a 
computer  science  path  through 
college,"  Glaser  says.  Recently, 
however,  he  has  seen  IT  staff 
turnover  rates  increase  from  3% 
to  7%  to  8%. 

Though  CRA  research  indi¬ 
cates  a  sharply  reduced  supply 
of  computer  science  students  in 
the  U.S.,  Jay  Vegso,  manager  of 
membership  and  information 
services,  stops  short  of  declaring 
an  IT  worker  crunch. “Predicting 
demand  [for  IT  workers]  is  very 
difficult  and  has  been  botched 
before,”  Vegso  says. 


Did  your  company's  performance  in  the  first 
half  of  this  year  meet  expectations? 


A  recent  Challenger,  Gray  &  Christmas  survey 
of  150  human  resources  executives  pointed 
to  tine  lack  of  qualified  candidates,  particularly 
in  tl  e  fields  of  IT,  healthcare  and  specialty 
manufacturing,  as  a  hindrance  to  job  creation. 


Yes,  but 
expectations 
were  low 

7% 


Exceeded 

expectations 

30% - 


Our  industry 
suffered; 
we  suffered 

2%- 


There  are  other  countervailing 
factors.  The  U.S.  government 
might  soon  elect  to  increase 
again  the  number  of  H-1B  visas, 
allowing  additional  foreign 
workers  to  take  IT  jobs  here. 
Companies  might  do  a  better 
job  of  developing  non-technical 
professionals  to  join  the  IT 
ranks.  Outsourcing  and  automa¬ 
tion  will  almost  certainly  con¬ 
sume  an  increasing  number  of 
IT  jobs  going  forward. 

No  one  knows  for  sure  what 
effect  these  forces  will  have  in  a 
year  or  two.  Large  companies 
are  not  reporting  huge  gaps  in 
their  available  IT  skills  today,  but 
tomorrow  could  be  another 
matter. 

Where  the  gaps  are 

It  is  impossible  to  precisely 
know  in  advance  whether  the 
coming  shortage  will  be  severe, 
but  there  are  some  best  prac¬ 
tices  IT  managers  should  imple¬ 
ment  now  if  they  haven’t 
already,  experts  advise. 

Topping  the  list  is  an  IT  skills 
inventory  This  is  exactly  what  it 
sounds  like  —  evaluating  what 
skills  are  currently  in-house,  what 
skills  might  be  needed  in  the  next 
five  years  and  putting  together  a 
plan  to  bridge  that  gap. 
“Companies  need  to  come  up 
with  a  workforce  plan  that  details 
how  they  can  continue  to  meet 
their  own  changing  needs,”  says 
Andy  Walker,  research  director  for 
Gartner. 


Dwindling  IT  pipeline 

Newly  declared  Computer 
Science  (CS)  majors: 


Fall  2000  Fall  2002  Fall  2004 

CS  undergrad  total  enrollment 

60.000  - 


49,597 


2000-2001  2002-2003  2003-2004 

SOURCE:  COMPUTING  RESEARCH  ASSOCI ATIONS  2004 TAULBEE 
SURVEY  OFTHE  172  Ph.D. -GRANTING  INSTITUTIONS  THAT 
GRANT  CS  DEGREES. 


Fastest  growing 
industries 

The  top  five  for  the  period 
2002  -  2012: 

1.  Software  publishers 

2.  Management,  scientific  and  technical 
consulting  services 

3.  Community  care  for  the  elderly 

4  Computer  systems  design  and  related  services 
5.  Employment  services 


Fastest. growing  IT  job  titles  in  the  U.S.  economy,  2002-2012 


So  far,  have  you  hired  more  or  fewer  workers  I  Do  you  plan  to  add  more  workers  in  the 
than  you  had  planned  for  this  year?  I  second  half  of  2005? 


We  are  on  track 

12% 


We  have  hired 
more  than  planned 

22% - 

We  have  not  hired  as 
many  as  we  set  out  to 

22% 


We  have  not 
met  hiring 
expectations  due 
to  a  lack  of 
candidates 
44% 


No,  we  will  reduce 
the  payrolls 

11% 


No,  stay 
the  same 

33% 


Computer-related  job'titles’ 

'  j  2002  ” 

> 

..  1  20t2_: 

%  growth- 

Network  systems  and  data 
communications  analyst 

'  ;  186,000' 

29!  '00 

57% 

Computer  software  engineers, 
applications 

t  394.000 

j  573,000 

;46% 

* 

Computer  software  engineers, 
systems  software 

I  281,000 

409,000  ‘ 

45%  : 

1  AAA*  bfe 

Database  administrators 

;  110,000 

159,000 

44°i  ■ 

Computer  systems  analysts  . 

Network  and  computer  systems 
administrators 


:  :  468,000 
251,000 


,653.000 


,-:c.  :,;bv 

070.  '■ 


Computer  and  informatioirsyslenis  284,0 
managers 

uilifi.  •  jfcJi.W.. 


345.000  37% 

•  .  •  J','-  ■//’-  ■*.  ' 

' 


387,000 


SOURCE:  CHALLENGER.  GRAY  &  CHRISTMAS  Inc..  JUNE  2005 
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The  skills  inventory  will  imme¬ 
diately  spotlight  the  most  press¬ 
ing  skills  now  and  for  the  near 
term.  Networks  are  still  a  hot 
area,  and  for  most  organizations 
finding  someone  who  com¬ 
bines  technical  savvy  with  soft 
skills  is  an  ongoing  challenge. 
People  with  project  manage¬ 


ment  experience  and  the  ability 
to  thrive  working  in  virtual  glob¬ 
al  teams  are  in  desperately  short 
supply.  “Companies  need  both 
business  and  technical  skills  but 
the  business  skills  are  harder  to 
find,”  Berry  says. 

Many  companies  have  instinc¬ 
tively  dealt  with  a  potential 


worker  shortage  by  extending 
the  working  life  of  people  who 
found  they  couldn’t  retire  when 
they  wanted  because  of  the 
economy.  “We  got  an  extra  few 
years  out  of  them,”  Walker  says. 
That  is  a  good  way  to  keep  lega¬ 
cy  systems  going  until  they  need 
to  be  replaced,  he  adds,  but  is  a 


temporary  fix. 

Creative  solutions  needed 

On  a  macro  level,  Zweig 
believes  the  long-term  solution  to 
an  IT  worker  shortage  is  to  reach 
out  not  just  to  university  students 
but  also  high  school  and  middle 
schools.  “We  have  to  get  students 
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enthused  about  entering  IT.  This 
is  not  a  dying  profession”  Zweig 
says.  SIM  is  working  on  school 
outreach  efforts  with  its  more 
than  30  nationwide  chapters. 

As  for  CIOs  who  are  con¬ 
cerned  about  how  to  fill  their 
spots  in  the  coming  years,  it 
might  take  a  mixed,  creative 
approach. “You  might  outsource 
some  folks  and  bring  some  up 
through  the  in-house  ranks,  use 
contractors  for  other  roles,” 
Walker  says.  He  admits  this 
makes  managing  the  IT  organi¬ 
zation  more  complex. 

But  these  efforts  will  be  worth 
it  in  the  long  run  if  they  help 
preserve  IT  jobs  in  the  U.S.  econ¬ 
omy.  “Other  countries  are  push¬ 
ing  for  technical  education  in 
their  countries.  If  we  don’t  do 
that  here,  companies  will  have 
no  choice  but  to  send  the  jobs 
offshore.  That’s  not  good  for  the 
U.S.,”  Markle  says. 

Harris  Miller,  president  of 
the  Information  Technology 
Association  of  America  (ITAA), 
heartily  concurs.  The  combina¬ 
tion  of  fewer  students  and  the 
coming  wave  of  baby  boomer 
retirements  threatens  American 
competitiveness,  he  says.  “It’s  a 
myth  that  the  smart  people  only 
live  in  the  U.S.  The  advantages 
that  we  had  in  the  field  of  tech¬ 
nology  were  never  going  to  last 
forever,”  Miller  says. 

Miller  believes  turning  the  situ¬ 
ation  around  requires  a  “major 
wake-up  call”  on  the  part  of  gov¬ 
ernment  and  private  industry 
Everyone  needs  to  support  the 
next  generation  in  seeing  IT  as  a 
vibrant,  growing  occupation,  or 
else  the  tradition  of  technology 
innovation  will  perish.  “We’re 
like  the  frog  sitting  in  the  slowly 
boiling  pot.  It  is  happening  so 
slowly  no  one  notices  but  pretty 
soon  we  Ye  going  to  be  dinner,” 
he  says. 

Paul  is  a  freelance  writer  in 
Waban,  Mass.  She  can  be  reached 
at  lauren.paul@comcast.net. 
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$184  per  user 

Pros:  Very  mature  directory  service  now  lives 
on  Linux;  clustering  is  simple;  very  good 
administrative  tools. 

Cons:  Doesn’t  fully  support  64-bit  hardware 

platforms;  no  source  code  is  provided  on 
this  otherwise  open  source  platform. 


Novell’s  OES  provides  ties 
between  NetWare  and  Linux 


BY  TOM  HENDERSON,  NETWORK  WORLD  LAB  ALLIANCE 

Depending  on  how  you  look  at  it,  Novell’s  Open  Enterprise  Server  is  either 
more  of  the  same  old  stuff,  or  a  major  breakthrough  in  how  advanced  ser¬ 
vices  can  be  built  to  run  on  a  variety  of  base  operating  system  kernels. 


Based  on  our  Clear  Choice  Test  of  OES,  we  think  it's  a 
major  breakthrough  in  Novell’s  long-stated  intention  to 
marry  its  directory  and  administrative  applications  to 
Linux.  OES  layers  a  highly  competitive  directory  service 
onto  Linux,  provides  decidedly  evolved  administrative 
and  management  components  and  offers  very  good, 
egalitarian  client  support. 

With  OES  you  get  a  choice:  traditional  NetWare  (Version 
6.5  with  Service  Pack  3),  or  traditional  Linux  (SuSE  Linux 
Enterprise  Server  9  [SLES]  with  Service  Pack  1).  NetWare 
shops  can  now  peer  Linux  applications  and  services  with 
NetWare-hosted  eDirectory  and  Novell-based  identity- 
management  services.  On  the  flip  side,  Linux-based  IT 
organizations  can  now  plug  into  a  cohesive,  mature, 
encrypted  authentication  infrastructure  that’s  commer¬ 
cially  supported  worldwide. 

A  single  OES  license  entitles  the  user  to  build  two  servers 
of  either  foundational  type  and  duster  them  together. The 
OES  glue  that  binds  the  two  base  operating  systems  togeth¬ 
er  is  eDirectory  which  is  easier  to  implement,  manage  and 
administer  than  the  open  source  OpenLDAP  directory  ser¬ 
vice.  Novell  has  made  the  eDirectory  services  largely  con¬ 
gruent  across  both  kernels. 

The  downside  that  still  remains  for  both  NetWare  and 
Linux  users  —  even  with  OES  —  is  that  connectivity  to 
Windows  Active  Directory  and  NT  domains  creates  a 
duplicate  layer  of  directory  services  because  that  inte¬ 
gration  requires  the  installation  of  Samba  proxy  services 
to  make  the  necessary  connections. 

Both  versions  of  OES  can  be  managed  by  iManager 
2.5,  a  browser  plug-in  that  gets  to  the  heart  of  virtually  all 
OES  services  worth  mentioning  —  especially  Novell’s 
evolved  eDirectory.  This  application  uses  browser  real 
estate  efficiently  but  begs  for  a  high-resolution  screen. 
On  the  Linux  side  of  OES,  where  iManager  leaves  off, 
SLES  9’s  Yet  Another  Setup  Tool  (YaST)  takes  over  for  dri¬ 
ving  operating  system-specific  configuration  and  admin¬ 
istration  detail  such  as  hardware  management,  low-level 
settings  and  DNS/DHCP  tasks.  In  our  tests,  we  hardly 
used  YaST. 

Unlike  with  the  Windows  2003  server  editions  we’ve 
tested,  Linux  and  MacOS  clients  aren’t  second-class 
clients.  OES  provides  maximum  security  measures 
available  for  these  clients,  including  easy  logon  script 
support  and  encrypted  server  communication. The  odd 
client  out  is  Novell’s  Desktop  System  client,  based  on 


Linux,  which  doesn’t  have  a  peer  client-side  connectivi¬ 
ty  method  that  generic  Linux,  MacOS  and  Windows 
clients  do. 

While  both  foundation  kernels  will  run  on  64-bit  CPUs 
(which  we  tested  and  found  no  anomalies),  both  OES 
application  sets  are  limited  to  32-bit  use  and  are  only  sup¬ 
ported  by  Novell  at  that  level. We  found  that  performance 
of  Web-based  transaction  tasks  was  only  slightly  faster 
(ranging  from  no  appreciable  increase  to  a  7%  rise  in 
throughput  on  SLES  9  OES)  than  the  versions  of  NetWare 
6.5  (DocFinder:  8326)  and  SLES  9  (DocFinder:  8327) 
we’ve  tested  in  the  past.  Novell  says  that  a  cross-platform, 
full  64-bit  version  set  of  OES  services  is  scheduled  to 
arrive  early  next  year. 

Our  tests  showed  excellent  installation  compatibility  for 
both  kernel  foundations  across  an  array  of  server  platforms 
(see  “How  we  did  it,”  DocFinder:  8325). 

We  found  the  network  installation  process  to  be  much 
quicker  than  installing  the  OES  software  from  the  distri¬ 
bution  CDs.  Initial  configuration  of  eDirectory  on  either 
platform,  while  unattended,  takes  time  (about  45  min¬ 
utes  for  a  baseline  eDirectory  configuration  on  SLES  9). 
Subsequent  importation  of  LDAP  schema  and  data  from 
our  3,000-user  database  was  very  fast  (less  than  5  min¬ 
utes  on  NetWare;  7  minutes  on  SuSE  Linux). 

It  also  is  possible  to  migrate  Windows  NT  domain  infor¬ 
mation  into  eDirectory  with  a  little  effort.  Connecting  to 
a  Windows  Active  Directory  tree  requires  more  work,  and 
synchronization  services  between  eDirectory  and  Active 
Directory  uses  Samba,  which  requires  extensive  initial 
manual  installation  when  used  with  eDirectory. 

Clustering  Netware  and  Linux 

Once  configured,  either  OES  foundation  can  be  clus¬ 
tered  with  any  other,  with  surprising  ease.  Connecting 
shared  resources  —  such  as  file  systems  —  was  a  breeze. 
One  exception  was  that  NetWare  OES  was  unable  to  han¬ 
dle  Common  Internet  File  System  (CIFS)  with  concurrent 
large  file  copies.  Novell  says  that  CIFS  support  will  be 
improved  in  an  update  to  arrive  later  this  month. 

We  found  server  application  support  to  be  cohesive 
across  both  operating  system  foundations.  For  organiza¬ 
tions  that  use  Apache,  Java  2  Platform  Enterprise  Edition, 
JBoss,  Tomcat,  MySQL  and  other  open  source  applica¬ 
tion  platform  sets,  the  OES  platform  levels  the  playing 
field  between  NetWare  kernel-based  servers  and  those 


The  Breakdown 

Installation/integration  25% 

4.0 

Performance  25% 

4.0 

Management  25% 

4.5 

Security  25% 

4.5 

Total  score 

4.25 

Scoring  Key: 

5:  Exceptional. 

4:  Very  good, 

3:  Average. 

2:  Below  average. 

1:  Subpar  or  not  available. 


Note:  Reflects  overall  scores  between  both  OES  versions. 


running  OES  SuSE  Linux.Very  few  minor  differences  exist 
with  these  applications  between  the  two  server  plat¬ 
forms.  Additionally,  a  new  certificate  authority  accessible 
from  either  foundation  worked  well  and  has  flexible,  RSA- 
licensed  certificate  generation  and  management. 

Novell’s  NetWare  Storage  System  also  allowed  us  to 
mount  and  use  a  larger  number  of  filing  systems, such  as 
the  Linux  Reiser  journaled  file  system  found  in  SLES  9. 
By  using  iFolder  —  Novell’s  Web  interface  to  various, 
supported  OES-based  filing  systems  —  we  could  move 
folders/files  on  both  platforms  quickly  no  matter  the 
client  type.  This  rcp-type  (Unix  remote  copy)  method 
also  prevents  dragging  files  and  folders  through  network 
wires. 

We  built  NetWare  OES  to  NetWare  OES,  SLES  OES  to 
SLES  OES,  and  NetWare  OES  to  SLES  OES  clusters. 
Clustering  applications  can  be  in  mirrored  form  (active  to 
passive)  or  synchronized  (active  to  active)  using  CIFS, 
Network  File  System,  File  Transfer  Protocol,  Apple  Filing 
Protocol  and  LDAP  We  tested  all  types.  The  applications 
that  mirrored  across  the  OES  servers  include  MySQL, 
Apache,  Novell  iFolder,  DHCP  and  DNS  —  all  of  which 
successfully  passed  our  testing.  We  did  not  test  NetStorage 
(because  of  CIFS  issues  raised  earlier),  iPrint  and  Virtual 
Office  in  the  clustered  configuration. 

Both  cluster  synchronizing  or  mirroring  was  fast  (for 
example,  when  we  imported  a  300M-byte  file  into 
MySQL,  the  data  was  mirrored  effectively  within  30  sec¬ 
onds),  even  under  heavy,  sustained  loads  between  all 
OES  foundation  combinations.  But  it  was  fastest  when 
we  clustered  NetWare  OES  to  NetWare  OES. 

With  OES,  Novell  has  finally  delivered  on  its  basic 
promise  of  migrating  eDirectory  and  previously 
NetWare-based  components  onto  Linux  as  a  fraternal 
partner.  Yet  to  come  are  ports  to  a  full  64-bit  CPU  plat¬ 
form  infrastructure.  Additional  cohesiveness  in  storage 
support  (back-up  snapshots  aren’t  supported  in  SLES 
OES,  as  well  as  certain  types  of  file  attributes,  and 
encryption)  will  be  welcome  when  they  arrive. 

Henderson  is  principal  researcher  for  ExtremeLabs  in 
Indianapolis.  He  can  be  reached  at  thenderson@extreme 
labs.com. 
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Journal,  Forbes,  New  York  Times,  USA  Today,  Network 
World,  and  InfoWorld.  DEMOfall  2005  is  your  ticket  to 
technology's  future  -  where  industry-shaping  ideas  turn 
into  real  business  opportunities. 
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App  performance  from  an 
end  user’s  perspective 


APPLICATION  PERFORMANCE  MONITORING 

PERFORMANCE  GUARD  4.0 

PremiTech 

NetResults  3.1 


$100  per  seat,  plus  the  cost  of  SQL  Server  2000 
or  Oracle  license. 

Pros:  Useful  statistics;  painless  installation  of 
client  agents;  easy  to  use. 

Cons:  No  corrective  actions;  runs  on  Windows 
only;  no  indexes  in  documentation. 


BY  BARRY  NANCE,  NETWORK  WORLD  TEST  ALLIANCE 

While  most  network  monitoring  tools  have  spent  years  inexorably  working 

their  way  up  the  protocol  stack,  a  newcomer  —  PremiTech ’s  Performance 

w.:-. ; 

Guard  —  starts  at  the  top  and  stays  there.  PremiTech  says  Performance 
Guard  monitors  client  machines  at  the  application  layer  to  collect  useful  sta¬ 
tistics  regarding  user  experiences. 


We  recently  tested  Performance  Guard  Version  4.0  (see 
“How  we  did  it”  at  www.networkworld.com,  DocFinder: 
8332)  and  it  proved  to  be  less  a  tool  you  occasionally 
reach  for  to  solve  a  specific  problem  and  more  a  measur¬ 
ing  stick  that  continuously  gathers  and  tracks  client  per¬ 
formance  data,  including  application  response  times.  We 
even  found  a  use  for  Performance  Guard  that  its  designers 
perhaps  didn’t  foresee. 

View  from  the  top 

Performance  Guard  consists  of  a  server  component, 
agents  you  deploy  on  each  client  and  a  customer-sup- 
plied  copy  of  either  Microsoft  SQL  Server  2000  or  the 
Oracle  relational  database. The  server  component,  which 
includes  its  own  Web  server,  gathers  performance  data 
from  the  agents  and  stores  the  result  in  the  relational 
database.The  server  component  runs  on  Windows  Server 
2000  or  2003,  while  the  agents  run  only  on  Windows  XP 
98,  ME  and  client  versions  of  Windows  NT,  2000  and  2003. 
Performance  Guard  scales  quite  well,  with  a  single-server 
component  easily  able  to  manage  up  to  a  few  hundred 
clients. 

Like  any  good  asset  inventory  tool,  Performance  Guard 
reveals  such  client  details  as  computer  name,  processor 
type  and  speed,  type  of  network  interface,  installed  RAM 
and  hard  disk  size.  It  goes  much  further,  however,  to  mea¬ 
sure  overall  CPU  and  memory  utilization,  I/O  statistics, 
the  names  and  owners  of  running  processes,  CPU  and 
memory  utilization  by  process,  as  well  as  I/O  reads  and 
writes  by  process. 

Performance  Guard’s  client-based  agents  noted  each 
client’s  server  response  time,  along  with  the  traffic  densi¬ 
ties  and  any  network  errors  it  experienced.  Performance 
Guard  also  measured  and  categorized  Web  transaction 
activity  (that  is,  HTTP-based  application  services)  in  our 
tests,  based  on  transaction  characteristics  we  specified  at 
the  Performance  Guard  Server. 

Performance  Guard  comes  with  a  handy  Internet  Ex¬ 
plorer  helper  object  that  computes  precise  Web  access 
response  times  and  tracks  the  URLs  that  a  client  access¬ 
es.  We  could  even  configure  each  Performance  Guard 
agent  to  use  Internet  Control  Messaging  Protocol  echo 
requests/replies  to  ping  specific  servers  and  devices  on 


the  network.  These  pings  provided  client-oriented  data 
that  revealed  client-to-device  or  client-to-server  network 
access  times.  Impressively,  Performance  Guard  collects 
performance  statistics  for  Citrix  Metaframe  Server-based 
applications,  including  per-session  data  and  server 
responsiveness. 

For  any  Performance  Guard-measured  metric,  we  could 
specify  a  threshold,  above  which  the  server  component 
would  notify  us,  via  e-mail  or  pager  alert,  that  a  problem 
had  occurred.  We  also  instructed  Performance  Guard  to 
send  alerts  to  IBM’s  Tivoli,  Computer  Associate’s  TNG  net¬ 
work  management  systems  and  the  help  desk  tool  Remedy 

Performance  Guard  cannot  automatically  fix  problems. 
For  example,  it  cannot  restart  a  Windows  service  or  stop  a 
runaway  process.  An  administrator  has  to  visit  the  client 
computer  to  manually  correct  problems. 

The  Performance  Guard  agents  are  small  and  resource- 
frugal.  Each  one,  typically  consumed  less  than  1%  of  the 
client’s  CPU,  and  often  less  than  0.5%  of  the  CPU.  Each 
agent  sampled  performance  at  predefined  intervals.  The 
default  interval  is  1  second  for  local  performance  metrics, 
such  as  CPU  and  memory  utilization.  At  the  Performance 
Guard  server,  we  could  specify  each  agent’s  sampling  rate, 
from  1  second  up  to  60  seconds. 

Each  agent  collects  data  for  a  reporting  interval,  which 
we  could  set  from  10  seconds  up  to  2  minutes. The  report¬ 
ing  interval  governs  how  much  bandwidth  the  agents  use 
to  send  data  back  to  the  Performance  Guard  server.  While 
a  short  interval  implies  high-resolution  statistics,  it  also 
results  in  higher  bandwidth  utilization.  Similarly,  a  long 
interval  implies  low-resolution  statistics  and  low  band¬ 
width  utilization.  PremiTech  suggests  setting  the  reporting 
interval  to  between  30  and  120  seconds,  but  we  found  an 
interval  of  20  seconds  did  not  adversely  affect  our  network 
traffic.Setting  the  interval  to  20  seconds  (that  is, three  trans¬ 
missions  to  the  Performance  Guard  server  every  minute 
from  every  agent)  sends  18,000  reports  per  hour  over  the 
network  for  100  clients.  Depending  on  whether  we’d  told 
the  agents  to  collect  optional  statistics,  such  as  ping  tim¬ 
ings,  the  20-second  interval  setting  caused  Performance 
Guard  agents  to  send  a  total  of  6M  to  14M  bytes  to  the  serv¬ 
er  each  hour.  The  resulting  bandwidth  and  server  storage 
utilizations  were  not  burdensome. 


The  Breakdown 


Monitoring  20% 

4 

Corrective  actions  20% 

1 

Platform  support/scalability  20% 

3 

Reporting  20% 

4 

Ease  of  use  10% 

4 

Documentation/installation  10% 

3 

Total  score 

3.1 

Scoring  Key: 

5:  Exceptional. 

4:  Very  good. 

3:  Average. 

2:  Below  average. 
1:  Subpar  or  not 
available. 


Ease  of  use 

Performance  Guard  has  a  browser-based  interface  con¬ 
sisting  of  a  Java  2  Platform  Enterprise  Edition  application 
server  environment  that  uses  Java  Database  Connectivity  to 
access  the  relational  database  and  that  emits  dynamic  Web 
pages  an  administrator  interacts  with.The  interface,  with  its 
self-explanatory  menus  and  thoughtfully  designed  configu¬ 
ration  windows,  was  easy  to  navigate.  Setting  up  named 
groups  of  users  (client  devices)  and  then  configuring  each 
group  was  also  simple. 

Reports  are  particularly  useful  to  detect  response  time 
problems  by  individual  users  or  for  groups  of  users.  They 
were  also  useful  for  spotting  trends. 

We  were  able  to  use  Performance  Guard  as  a  workflow 
measurement  tool.  Imagine  a  department  of  30  heads- 
down  data-entry  employees  using  a  custom-written  appli¬ 
cation.  By  defining  that  application’s  transactions  at  the 
Performance  Guard  server,  we  could  view  reports  that 
quantified  each  data  entry  station’s  workflow  and  produc¬ 
tivity  When  correlated  with  the  overall  business  workload, 
these  Performance  Guard  client  activity  reports  helped  us 
better  assess,  for  instance,  when  to  hire  people  or  which 
transactions  were  more  difficult  for  people  to  handle. 

Installing  the  agents  across  our  Windows-based  network 
was  almost  painless.  Using  Microsoft’s  MSI  installer,  the  Per¬ 
formance  Guard  server  component  quickly  and  silently  dis¬ 
tributed  agents  onto  our  clients.  Only  when  MSI  fails  (these 
failures  can  be  rare  or  frequent  depending  on  Windows  ver¬ 
sions,  patches  and  configurations),  or  when  a  client  isn’t 
powered  on  during  installation,  will  you  have  to  visit  specif¬ 
ic  clients  to  manually  install  the  agent.  Unfortunately  the 
documentation  is  a  set  of  online  PDF  files. 

Performance  Guard  does  for  clients  what  traditional  mon¬ 
itoring  tools  do  for  servers.  If  you  have  a  specific  applica¬ 
tion  crying  out  for  client-side  response-time  monitoring,  or 
if  you  want  to  track  office  workflow  from  the  application’s 
perspective,  Performance  Guard  might  be  what  you  need. 

Nance  mns  Network  Testing  Labs  and  is  the  author  of 
Introduction  to  Networkrng,4th  Edition  and  Client/Server 
LAN  Programming.  He  can  be  reached  at  barryn@erols. 
com. 
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Unexpected  carrier  choices 

A  few  companies  have  found  that  lesser-known  service  providers 
offer  cost  savings,  quicker  deployment. 


BY  DENISE  PAPPALARDO 

hen  it  comes  to  selecting  a  carrier  for  your  network  needs,  the 
road  less  traveled  might  not  be  attractive  to  everyone.  But  some 
large  companies  are  finding  that  going  with  a  service  provider  that 
might  not  be  a  household  name  is  the  right  answer  for  them. 


Change  is  on  the  agenda  for  the  big  interexchange  carri¬ 
ers  with  the  upcoming  mergers  of  AT&T  and  SBC  and  MCI 
and  Verizon.  And  that  customer  uncertainty  leaves  the  door 
open  for  service  providers  that  might  not  be  as  well  known 
in  the  U.S.  to  win  big  contracts. 

In  July  2004,  Jacobs  Engineering  Group,  a  $5  billion  glob¬ 
al  provider  of  technical,  professional  and  construction  ser¬ 
vices,  started  looking  for  a  new  service  provider  to  handle 
the  company’s  global  telecom  needs. 

Michael  Miller,  senior  vice  president  of  IS  and  CIO  at  the 
Pasadena,  Calif.,  company  says  many  companies  respond¬ 
ed  to  his  RFB  but  he  whittled  the  list  down  to  about  10  and 
then  moved  to  four.  In  May  Jacobs  selected  British  Telecom 
to  handle  the  company’s  global  telecom  needs,  which 
include  services  throughout  the  U.S.  and  overseas.  In  the 
past  year,  BT  has  been  aggressively  building  out  its  MPLS 
network  in  the  U.S.  and  its  customer  base  in  North  America. 

“We  consolidated  all  of  our  telecom  budget  around  the 
world.  We  had  hundreds  of  contracts  from  different 
providers. We  are  still  in  the  process  of  getting  all  of  the  con¬ 
tracts  covered,  but  BT  is  consolidating  those  for  us,”  Miller 
says.  In  addition  to  providing  voice  and  data  services,  BT  is 
managing  the  engineering  firm’s  contracts  with  other  ser¬ 
vice  providers  around  the  world. 

In  the  RFP  Jacobs  stated  about  eight  criteria  that  all  ser¬ 
vice  providers  had  to  meet,  and  six  of  those  were  critical, 
he  says.  “BT  came  the  closest  to  meeting  all  of  those,”  he 
says. 

One  of  the  key  criteria  was  to  expedite  the  deployment  of 
circuits,  especially  in  Europe,  he  says.  “They  have  come 
through  in  several  instances  already  Miller  says.  For  exam¬ 
ple,  after  Jacobs  acquired  a  company  in  Scotland,  it  didn’t 
want  to  get  stuck  waiting  up  to  two  months  for  a  circuit, 
which  was  generally  the  norm  for  the  firm.  BT  was  able  to 
get  circuits  to  the  Scotland  site  much  faster. 

“We’re  looking  for  a  less-than-two-week  turnaround  and 
we’re  even  willing  to  pay  extra  costs  that  are  incurred  to  do 
that,  assuming  the  costs  aren’t  unreasonable,”  he  says. 

Miller  also  stipulated  strict  metrics  regarding  network  per¬ 
formance,  availability  and  restoration  in  case  of  a  network 
failure,  which  BT  met. 

But  Miller  had  some  concerns  specific  to  selecting  BT, 


such  as  BT’s  lesser-known  presence  in  the  U.S.,the  carrier’s 
past  debt  problems  and  its  reputation  as  a  legacy  European 
telco. 

After  a  closer  look,  Miller  says  BT  cleared  up  its  $30  billion 
debt  nicely  in  the  past  few  years.  The  carrier  satisfied  his 
other  concerns  with  strong  service-level  agreements  and 
agreeing  to  terms  that  were  important  to  him, such  as  expe¬ 
dited  circuit  delivery  requirements. 

Miller  says  Jacobs’  primary  goal  in  issuing  its  RFP  last  year 
was  to  reduce  the  company’s  telecom  costs.  Not  only  is  the 
firm  happy  with  BT’s  service  and  management  of  its  tele¬ 
com  contracts,  he’s  happy  with  reduction  in  telecom  costs 
overall.  He  wouldn’t  say  how  much  he  spends,  but  did  say 
the  savings  are  expected  to  be  substantial. “It’s  a  valuable 
deal  to  us,”  he  says. 

Despite  Jacobs’ success,  some  analysts  do 
not  recommend  users  go  with  lesser-known 
providers,  or  larger  providers  that  might  be 
reselling  services  in  the  US.  as  their  prima¬ 
ry  carrier. 

“As  a  rule,I  wouldn't  recommend  [a  less¬ 
er-known  service  provider]  simply  be¬ 
cause  in  most  instances  you’ll  be  able  to 
do  better  from  a  pricing  and  contractual 
perspective  by  going  directly  to  a  U.S.  pro¬ 
vider  vs.  the  carrier  who  is  reselling  their  ser¬ 
vices,”  says  Amin  Ghossein,  senior  vice  president  atTelwares 
Communications,  a  telecom  contract  negotiation  firm.Tel- 
wares’  advice  is  that  you  can  use  some  of  these  providers, 
but  would  discourage  it  for  your  primary  needs  and  use 
them  in  a  secondary  role.” 

Another  analyst  agrees.  “If  an  enterprise  is  looking  at 
attractive  pricing  from,  say  a  Global  Crossing,  WilTel  or 
Broadwing,  one  way  to  bring  the  carrier  through  the  door 
is  if  the  enterprise  has  both  carrier  and  route-diversity 
requirements,”  says  Brian  Washburn,  an  analyst  at  Current- 
Analysis.“If  a  carrier  without  a  household  brand  name  does 
an  exemplary  job  maintaining  the  enterprise’s  redundant 
services,  the  enterprise  can  then  build  up  trust  and  rapport, 
and  hand  that  carrier  more  business  over  time.” 

But  for  Bacardi  Limited,  a  lesser-known  company  issued 
an  RFP  impressive  enough  to  win  the  deal. The  Bermuda 


company  started  looking  for  a  new  service  provider  in 
2003,  says  Ron  Stan,  director  of  IT  at  the  spirits  producer 
and  distributor. 

In  late  January,  Bacardi  selected  Vanco,  a  U.K.  virtual  net¬ 
work  provider,  to  deploy  its  global  37-site  MPLS  VPN.  The 
deployment  is  just  underway  with  about  five  sites  up  and 
the  rest  expected  to  be  online  by  mid-September. 

“We  went  through  a  fairly  extensive  RFP  process,”  Stan 
says.  The  company  trimmed  down  the  list  based  on  the 
responses  and  completeness  of  information  it  received, 
and  brought  together  a  global  evaluation  team  to  assist  in 
the  process. 

Stan  says  he  asked  for  pricing  on  a  standard  set  of  ser¬ 
vices  for  a  specific  number  of  sites,  so  he  could  get  the 
best  apples-to-apples  comparison  for  the  bids.  “You  really 
need  to  tell  [the  service  providers]  specifically  what  you 
want  if  you  want  pricing  that’s  meaningful,”  he  says.  He  also 
requested  best  pricing  in  the  first  round.  “I  meant  best 
price,  and  if  they  didn’t  provide  that,  then  they  were  cut,” 
Stan  says.  “We  were  trying  to  avoid  too  many  rounds  of 
bids.” 

“Talking  with  references  was  critical,” Stan  says. While  cus¬ 
tomer  reference  checks  didn't  remove  any  carrier  from  the 
running,  he  says  the  customer  information  provided  valu¬ 
able  insight  that  helped  in  the  decision  process. 


Stan  says  he  was  keenly  aware  of  the  changing  landscape 
in  the  telecom  market  and  considered  that  when  making 
his  decision.  “We  looked  at  financial  stability  and  owner¬ 
ship  structure  of  each  company  It  wasn’t  just  contract  nego¬ 
tiations,”  he  says. 

Bacardi  didn’t  want  to  go  into  a  situation  where  there  was 
a  merger  in  progress  and  ownership  was  changing  hands. 
Stan  says  he  also  paid  close  attention  to  ownership  clauses 
that  would  provide  an  out  if  ownership  changed  hands 
during  the  life  of  the  contract. 

The  fact  that  Vanco  is  not  very  well  known  initially  gave 
Bacardi  reason  to  pause.“You  have  to  give  some  thought  to 
a  company  that’s  not  a  household  name.  But  then  you  look 
at  their  story  numbers,  clients  and  business  model,  and  you 
come  to  the  conclusion  that  at  one  time  Microsoft  wasn’t  a 
household  name  either”  ■ 


tfWe  look  at  financial  stability 
and  ownership  structure  of 
each  company.  It  wasn’t  just 
contract  negotiations.** 

Ron  Stan,  director  of  IT,  Bacardi  Limited 


SERVERS  WITHIN  YOUR  REACH 
FROM  ANYWHERE  ft 

II  V) 


LOCAL  OR  REMOTE  SERVER  MANAGEMENT  SOLUTIONS 


UltraMatrix™ 

Remote 


MATRIX  KVM  SWITCH  WITH 
INTEGRATED  REMOTE  ACCESS  OVER  IP 


UltraMatrix™ 

E-series 


■  PROFESSIONAL  MULTI-USER  KVM  SWITCH 
2  -  4  KVM  STATIONS  TO  1,000s  OF  COMPUTERS 


KVM  OVER  IP 


•  System-wide  connectivity  over  IP  worldwide  and 
locally 

•  Connects  1,000  computers  to  up  to  256  user  stations 

•  Supports  PC,  Sun,  Apple,  USB,  UNIX,  serial  devices 

•  High  quality  video  up  to  1280  x  1024 

•  Secure  encrypted  operation 

•  View  real-time  video  from  4  computer  connections 
with  quad-screen  mode 


KVM  SWITCH 


•  PC  or  multi-platform  (  PC/Unix,  Sun,  Apple, 
others) 

•  On-screen  menu  informs  you  of  connection  status 
between  units  in  an  expanded  system 

•  Powerful,  expandable,  low  cost 

•  No  need  to  power  down  most  servers  to  install 

•  Security  features  prevent  unauthorized  access 

•  Free  lifetime  upgrade  of  firmware 

•  Video  resolution  up  to  1600  x  1280 

•  Available  in  several  models 

•  Easy  to  expand 


The  UltraMatrix  Remote  represents  the  next  generation  in  KVM  switches 
with  IP  access.  It  provides  a  comprehensive  solution  for  remote  server 
access  over  IP  and  local  access  as  well. 


The  UltraMatrix  E-Series  represents  the  latest  in  KVM  matrix  switch 
technolog,  at  an  affordable  price.  The  E-Series  allows  you  to  connect 
up  to  256  user  stations  to  as  many  as  1,000  computers.  The 
UltraMatrix  E-Series  is  available  in  several  sizes:  2x4,  2x8,  2x16,  4x4, 
4x8,  4x16,  1x8,  and  lxl6in  either  PC  or  multi-  platform. 


UltraConsole™ 

KVM  SWITCH 


SINGLE  USER  b  MULTI-PLATFORM  KVM  SWITCH 
1  KVM  STATION  TO  1,000s  OF  COMPUTERS 


Supports  PC,  Sun,  UNIX,  Linux,  USB,  and  serial 
devices 

Supports  serial  devices  such  as  routers  and  emulates 
VT100/220  terminals 

Plug-in  expansion  cards  allow  the  system  to  easily  be 

expanded  as  the  system  grows 

An  expanded  system  can  connect  up  to  1,000 

computers  to  a  console  user  station 

Powerful  and  expandable,  yet  low  cost 

Video  resolution  up  to  1600  x  1280 

On-screen  menu  informs  you  of  connection  status 

between  units  in  an  expanded  system 

Multi-lingual  Menu  (English,  French,  German,  Spanish, 


CrystalView  Pro™ 

EXTENDER 
OVER  FIBER 


■  DVIA/GA  DIGITAL  KVM 
EXTENDER  OVER  FIBER 

■  DVI  and  VGA  video  modes 

■  PC  and  USB 


■  PS/2  and  USB  keyboards  and  mouse. 

■  Full  stereo  audio  (optional) 

■  Serial  (optional) 

■  Ethernet  lOBaseT  Network  management  (optional) 

■  Extend  a  KVM  station  from  a  CPU  using  fiber  cable: 

■  (MultiMode)  62.5-micron  cable  up  to  650  ft 

■  (MultiMode)  50-micron  cable  up  to  1,300  ft 

■  (SingleMode)  9-micron  cable  up  to  33,000  ft  (6 
miles) 

■  Video  resolution  up  to  1600  x  1200 

■  Flexible  modular  architecture 


The  UltraConsole  represents  the  latest  in  KVM  switching  technology  at 
affordable  prices.  The  UltraConsole  allows  for  a  central  user  station  to 
connect  to  four,  eight,  or  sixteen  computers  per  chassis,  expandable  to 
as  many  as  1,000  computers,  servers,  or  serial  devices. 


The  CrystalView  Pro  fiber  is  the  KVM  extender  of  choice  for  businesses 
that  need  to  extend  and  operate  a  computer,  server,  or  KVM  switch 
from  a  great  distance. 

The  CrystalView  Pro  fiber  makes  this  possible  the  use  of  standard  fiber 
optic  cable.  You  can  fully  operate  and  control  a  computer  or  server  from 
as  far  away  as  33,000  feet  using  9-micron  fiber  cable  (Singlemode) 


■  KVM  RACK  DRAWERS  WITH  KVM  SWITCH  OPTION 

RackViews  offer  the  latest,  most  efficient  way  to 
organize  and  streamline  your  server  rooms  and 
multiple  computers. 

The  RackView  is  a  rack  mountable  KVM  console 
neatly  fitted  in  a  compact  pull-out  drawer.  This  easy- 
glide  KVM  drawer  contain  a  high-resolution  T FT/LCD 
monitor,  a  tactile  keyboard,  and  a  high-resolution 
touchpad  or  optical  mouse. 


XtendVue  RackView 

Vertical  Rack  mountable  LCD  Fold-Forward 
With  Buit-in  KVM  Extender 


RackView 

Fold-Back 
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ROSE  US  281  933  7673 

ROSE  EUROPE  +44  (0)  1 264  850574 
ROSE  ASIA  +65  6324  2322 

ROSE  AUSTRALIA  +617  3388  1540 


800-333-9343 

WWW.ROSE.COM 
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Need  Secure  Console  Management? 


Web  Browser  Interface 
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Kall8 

Real-time  Activation  of  Toll-free,  ^-s***r 
Local,  and  International  Telephone  Numbers 

Toll-free  Service  as  Versatile  . 
as  You  and  Your  Business 


NO  EQUIPMENT  TO  BUY 
NO  SOFTWARE  TO  INSTALL! 


I 


Not 

another 

VoIP 

solution! 


Toll-free  service  without  the  hassle. 

Pay-as-you-go  with  no  contract. 

Add  a  toll-free  number  for  only  $2* 
and  keep  your  current  phone  service; 
there  is  no  need  to  switch! 

Power:  Keep  or  choose  your  toll  free  number! 

Add  new  numbers  anytime! 

Control :  Take  your  toll  free  number  with  you  and 
never  miss  calls! 

Freedom;  Change  where  your  toll  free  number  rings 
with  the  click  of  a  mouse! 

Flexibility:  Route  calls  by  day,  time,  call  area  — 
even  custom  route  specific  callers! 

Intelligence:  Record  calls,  view  call  detail  — 
even  capture  Caller  I.D.  on  unanswered  calls! 

For  five  years  running,  Kall8  has  been  the  online  toll-free 
provider  of  choice,  offering  all  the  features  of  a  VoIP  solution 
with  none  of  the  vulnerabilities  of  IP  telephony. 


Works  with  every  phone  system, 
whether  pulse,  tone,  digital, 
cellular,  wireless  device,  or  IP. 

Instant  activation  of  numbers! 

★  24/7  Secure  Online  Control 

★  View/Retrieve  Faxes  and 

Voice  Mail,  online  or  in  email 

★  Real-time  Call  Detail 

★  Reporting  and  analysis  tools 

★  Over  a  Dozen  Features: 

Call  Blocking,  Conferencing. 
Call  Recording,  Custom  Call 
Routing  and  Distribution, 
Automated  Receptionist, 
...and  MORE! 

Truly  as  little  as 

W<S5SS  S2  per  month  and 
‘just  6.9c  per  minute! 


www.kall8.com/nww 

Mention  'NWW0805  when  you  call  or  sign  up  via  the  Web. 
and  we  will  waive  your  activation  fee! 


western  telematic  incorporated 


SSH  or  Out-of-Band  Access  to  Consoles  at  Remote  Locations 


■  Secure  Shell  (SSHv2)  Encryption 
a  Simultaneous  SSH  or  Telnet 
a  TACACS  &  RADIUS  Authentication 
a  Dial-Back  Security  on  Modem  Port 
a  Command  Logging  with  Audit  Trail 
b  SYSLOG  Reporting 
a  NTP  Server  Ready 
b  Any-to-Any  Port  Switching 
a  Non-Connect  Port  Buffering 
b  Port-Specific  Password  Protection 
b  Data  Rate  Conversion 
a  Rack  Mountable  -  Requires  1  Rack  Unit 
B  115/230  VAC  or  -48  VDC  Models 
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The  SCM-16  Secure  Console  Management  Switch  provides  in-band  and 
out-of-band  access  to  RS232  console  ports  on  UNIX  servers,  routers  and  any  other 
network  elements  which  have  a  serial  console  or  craft  port.  System  administrators 
can  access  serial  maintenance  ports  over  the  network  via  SSH  connections  and  simple, 
menu-driven  commands  or  through  a  discrete  TCP  port  connection,  mapped  directly  to 
one  of  the  SCM-16  serial  outputs. 

Visit  Website  for  Complete  NetReach™  Product  Line 
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(800)  854-7226  •  www.wti.com 
5  Sterling  •  Irvine  •  California  92618-2517 
(949)586-9950  •  Fax:(949)583-9514 
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Yes,  We  are  Customer  Friendly! 

✓  Two  Year  Warranty 

✓  We  Stock  for  Same  Day  Shipment 

✓  30  Day  Return  Policy 

✓  Call  or  Email  for  an  Online  Demo 
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How  Do  You  Distribute 
Power  in  Your  Data 
Center  Cabinet? 


With  Sentry! 

CDU  Product  Family:  Metered,  Smart  &  Switched 

Rkjifcj^ 

The  Sentry  CDU  distributes  power  for  Blade  servers  or  up  to  42  dual 
power  1U  servers  in  one  enclosure.  Single  or  3-phase  input  with 
110VAC,208VACor  mixed  IIO^OBVAC  single-phase  outlet  receptacles 


Metered  CDU 

>  Local  input  Current  Monitoring 
;  Smart  CDU 

-  _■>  Local  Input  Current  Monitoring 

>  Supports  Externa!  Temperature  and 

Humidity  Probes  ' 

>  IP  Monitoring  of  Power  Temperatures 

/  and  Humidity  .  . 


Switched  CDU 

>  Local  input  current  Monitoring 

>  Supports  External  Temperature  and 
Humidity  Probes 

>  IP  Monitoring  of  Power,  Temperatures 
and  Humidity 

>  Remote  Power  Control  of  Each  Outlet 
—  On  /  Off  t  Reboot 


Server  Technology 
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How  much  can  your  network  analyzer  handle? 

Observer  is  the  only  fully  distributed  network  analyzer  built 
to  cover  your  entire  network  (LAN,  802.1  la/b/g,  Gigabit,  WAN). 
Download  your  free  Observer  10  evaluation  today  and  experience 
more  real-time  statistics,  more  expert  events  and  more  in-depth 
analysis  letting  you  monitor,  troubleshoot  and  manage  every  site 
on  your  network  with  one  complete  solution.  Choose  Observer. 

-SECUR  i  tv  conTROL-  Watch  for  virus  and  hack  attacks  to 
quickly  isolate  infected  areas. 

-RLERT-  Setup  Triggers  and  Alarms  on  any  network  threshold 
and  be  the  first  to  know  of  network  issues. 

-DETWORK  OMERlOFlD-  Monitor  bandwidth  utilization,  access 
point  utilization  rates  and  network  top  talkers  with  Real-Time  Statistics. 


US  &  Canada 

toll  free  800.526.5958 
fax  952.932.9545 

UK  &  Europe 

+44(0)1959569880 

www.networkinstruments.com/analyze 


Does  your  analyzer  cover  one  room  or 

j *  the  whole  house? 
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Monitor  the  REST  of  your  Computer  Room! 


Water  on  the  Floor 

Temperature 

Power  Problems 

Security 

Smoke  and  Fire 

Humidity 

Video 

And  much  more 


Sends  Monitors  Embedded 

SNMP  64  Web 

Messages  IP  addresses  Server 
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Dealers  Wanted 


Sensor  Inputs 

(Tffiyxrouirv.  Humidity, 
Water,  Motion,  Power, 
Smoke/fire) 

Expandable 


Terminal  server  vendors,  who  proclaim  that 
they  have  Secure  Out  Ot  Band  products,  rely 
on  RADIUS,  TACACS+  and  other  in-band 
protocols  to  provide  security.  By  inference, 
they  imply  they  secure  out  of  band  access 
when,  in  fact,  they  otter  only  network  security, 
which  conflicts  with  out  of  band  access. 


A  true  Secure  Out  of  Band  Management 
solution  should  provide  strong  security  without 
reliance  upon  network  based  protocols. 


CDI  offers: 

p-a  Hardware  encryption  over  dial-up 
and  network  connections 
r^-a  RSA  certified  SecurlD  authentication 
without  a  network, 
r— a  Patented  central  management  of  all 
remote  devices 


Full  NIST,  FIPS  140-2  certifications  a-n. 
Remote  Power  control 


Homologous  world-wide  approved  a-n 
internal  modems 


CDI  has  been  building  encryption  equipment  lor  over  fifteen  years.  Our  customers  and  partners  include 
major  financial  institutions,  government  agencies,  major  telcos,  utilities,  and  the  United  States  military 


Communication  Devices  Inc. 
www.outofbandmanagement.com 
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for  Text  Retrieval®  since  1991 


♦  over  two  dozen  indexed,  unindexed,  fielded  &  full-text  search  options 

♦  highlights  hits  in  HTML,  XML  and  PDF  while  displaying  embedded 

links,  formatting  andlii"iM?T43 _ 

♦  converts  other  file  types  (word  processor,  database,  spreadsheet, 


email,  ZIP,  Unicode,  etc.)  to  HTML  for  display  with  highlighted  hits 


Instantly  Search 
Terabytes  of  TextJ 


Ummmmm 

Reviews  of  dtSearch 


Desktop  with  Spider 
Network  with  Spider  i''"mS8"01 
Web  with  Spider  5,991 

Publi#  ^  CD/DVDs 

Engine  for  Win  &  NET 


♦“The  most  powerful  document  search  tool  on  the  market”  —  Wired  Magazine 
♦“dtSearch ...  leads  the  market”  —  Network  Computing 
♦“Blindingly  fast”  —  Computer  Forensics:  Incident  Response  Essentials 
♦“A  powerful  arsenal  of  search  tools”  —  The  New  York  Times 
♦“Super  fast,  super-reliable”  —  The  Wall  Street  Journal 
♦“Covers  all  data  sources ...  powerful  Web-based  engines”  —  eWEEK 
♦“Searches  at  blazing  speeds”  —  Computer  Reseller  News  Test  Center 
See  www.dtsearch.com  for  hundreds  more  reviews  &  case  studies 


Engine  for LinuX 


i  -800-IT-FINDS  •  www.dtsear.cli 
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TAP  into  Performance 

Monitor  mission-critical  links  with  the 
latest  technology  through  new  nTAPs 


Stop  jeopardizing  network  performance  and  risking  costly  downtime.  Be  confident  you 
have  maximum  visibility  into  your  full-duplex  links  by  configuring  an  r?TAP  solution  that 
fits  your  network  and  budget.Visitwww.networkTAPs.com/visibility  today. 


f 


10/100/1000  Conversion  /rTAP 

Copper  input  with  copper  or 
fiber  output  options 
Choose  your  analysis  output: 


SX . $1,495 

LX . $1,495 


Optical  Fiber /rTAP 

Multiple  split  ratios 
Choose  your  port  density: 

Single  channel . $395 

Four  channel .  $1,795 

Six  channel . $2,395 


To  learn  more  about  how  nTAPs  can  boost  your  network  visibility  and  which  configuration  option 
is  best  for  you,  go  to  www.networkTAPs.com/visibility  or  call  866-GET-nTAP  today. 

Free  overnight  delivery* 


PS  C€ 


'Free  overnight  delivery  on  all  U.S.  orders  over  $300.00  confirmed  before  12  pm  CST. 

nTAP  and  the  /tTAP  logo  are  trademarks  or  registered  trademarks  of  Network  Instruments,  LUC. 


(*TAP 


WWW.SU1TCASE.COM 


Luggage,  Fine  Leather  Goods,  Gifts,  and  more! 

Hartmann,  Andiamo,  Samsonite,  Cross 

10%  discount  for  Network  World  readers 
Enter  code  NWW2005 


WLAN 

SPECTRUM  ANALYZER 

True  Spectrum  Analysis! 
Not  a  WLAN  chip  set 


All  2.4  and  5 
GHz  bands  in 
one  unit  for 
only  $4400. 

Single  band 
2.4  GHz  unit 
for  only  $2600. 
Calibrated  Antennas 
Immediate  Delivery 


BANTAM  INSTRUMENTS 


www.Bantamlnstruments.com 


FIBER  OPTIC  SOLUTIONS 


•  Tl/El  &  T3/E3  Modems 

•  RS-232/422/485  Modems  and 
Multiplexers 

•  IBM  3270  Coax,  AS400  Twinax,  and 
RS6000  Modems  and  Multiplexers 

•  LAN  -  Arcnet/Ethernet/Token  Ring 

•  Video/Audio/Hubs/Repeaters 

•  ISO-9001 

•  USB  Modem  and  Hub 


S.I.TECH 

Toll  Free  866-S!Tech-l 
630-761-3640,  Fax  630-761-3644 
www.sitech-bitdriver.com  or  www.sitechfiber.com 
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Network  World  Events  and  Executive 
Forums  produces  educational  events 
-  _  ._  .  _  and  executive  forums  worldwide. 

Events  and  Executive  Forum9  ,nciucjing  0ur  one  day  Technology  Tours, 

customized  on-site  training,  and  executive  forums  such  as  DEMO®. 
DEMOmobile®.  and  VORTEX,  as  well  as  the  DEMOIetter  and  VORTEX 
Digest  newsletters.  For  complete  information  on  our  current  seminar 
offerings,  call  us  at  800-6434668  or  go  to  www.networkworld.com/events. 


Publicize  your  press  coverage  in 
Network  World  by  ordering  reprints  of 
your  editorial  mentions.  Reprints 
make  great  marketing  materials  and 
are  available  in  quantities  of  500  and 
up.  To  order,  contact  Reprint 
Management  Services  at  (717)  399- 
1900  x128  or  E-mail:  networkworld@reprintbuyer.com. 
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Justice  is  not  blind 

The  state  of  New  York  Unified  Court  System  is  leveraging  its  huge  network  capacity  to  run  an 
advanced  IP  video  surveillance  and  recording  system. 


Q  IP  video  streams  from  350  Axis  IP  cameras,  and  analog  cameras  with  IP  converters,  are  sent  over  the  court  system's  backbone. 

B  Court  security  officers  can  view  any  camera  in  any  room  through  the  state's  courthouses,  whether  in  a  command  center  or  patroling 
with  a  Wi-Fi-enabled  PDA. 

B  Up  to  350G  bytes  of  video  is  recorded  per  day  on  six  Dell  servers  with  a  total  of  50T  bytes  of  storage  capacity.  Security  footage 
is  archived  for  three  months. 


Courts 

continued  from  page  1 

system,  assembled  using  Linux 
scripts  and  commodity  IP  cam¬ 
eras,  installed  on  a  shoestring 
budget,  got  the  attention  of  court 
system  security  off icials,  says  CTO 
Sheng  Guo. 

“The  solution  proved  to  be  a 
good  experience,  but  it  did  not 
provide  video-recording  function¬ 
ality  and  other  advanced  fea¬ 
tures,”  he  says. 

The  pace  of  Guo’s  IP  surveil¬ 
lance  rollout  accelerated  this 
spring,  sparked  in  part  by  a  widely 
publicized  courthouse  shooting 
in  Atlanta  in  March.  New  York 
courts  have  had  closed-circuit 
video  for  years,  but  only  on  the 
outside  of  a  few  key  buildings  and 
main  traffic  areas.  Security  offi¬ 
cials  wanted  continuous  surveil¬ 
lance  in  all  courthouses  and  the 
ability  to  review  video  weeks  or 
months  after  an  incident. 

Super  surveillance 

A  hundred  cameras  were  added 
earlier  this  year  —  new  IP  cam¬ 
eras  from  Axis  Communications, 
as  well  as  older  analog  cameras 
fitted  with  IP  encoders  and 
attached  to  the  LAN.  The  court 
system  also  installed  a  software 
suite  called  NetGuard  from  On- 
Net  Surveillance  Systems  that 
controls  all  of  the  court  system’s 
cameras,  plus  video  archival  from 
Axis. 

At  the  court’s  downtown 
Manhattan  security  command 
center,  officers  watch  video  on  an 
array  of  flat  panel  displays,  show¬ 
ing  the  court’s  most  heavily  traf¬ 
ficked  sites.  Through  an  interface 
that  mimics  Internet  Explorer,  an 
officer  can  expand  a  directory  of 
icons,  representing  all  courthous¬ 
es  and  facilities.  Clicking  on  each 
icon  reveals  locations  at  each  site 
under  IP  video  surveillance.  One 
click  deeper,  and  a  window  is 
launched  with  a  live  IP  video  feed: 
a  trial  in  session  in  Queens,  pedes¬ 
trian  traffic  outside  the  Superior 
Court  building  downtown,  an 
empty  stairwell  in  Buffalo. 

Officers  can  control  the  zoom 
and  pan  of  the  cameras  via 
mouse  clicks.  The  windows  can 
be  tiled  or  arranged  in  a  grid,  giv¬ 
ing  a  view  into  dozens  of  sites  at 
once.  Officers  can  pull  up  a  simi¬ 
lar  interface  on  Wi-Fi-enabled 
PDAs.  A  few  taps  of  a  stylus,  and 
the  officer  has  the  same  live  IP 
video  feed  as  the  flat  panels  in  the 
command  center  —  at  a  lower  bit 


rate,  because  of  the  PDAs  tiny 
screen  and  limited  wireless  LAN 
bandwidth. 

The  court  system  has  more  than 
500  Nortel  WLAN  access  points 
deployed  statewide  for  supporting 
data  and  video,  as  well  as  a  test 
deployment  of  VoIP-over-WLAN 
phones  for  court  officers.  (Nortel 
Wi-Fi  IP  phones  are  being  consid¬ 
ered  as  a  back-up  communica¬ 
tions  device  to  the  court’s  two-way 
radio  system,  Guo  says.) 

The  NetGuard  system  can  be 
configured  for  motion  detection 
and  alerting,  for  monitoring 
closed  buildings  during  overnight 
hours.  When  a  person  enters  an 
empty  room  under  surveillance, 
for  example,  a  shake-up  of 
recorded  pixels  occurs  inside  an 
IP  camera.  The  software  that  con¬ 
trols  the  camera  senses  this  and 
sends  an  e-mail,  page  or  phone 
call  to  officers. 

The  IP-based  system  allows 
court  staff  to  open  cameras  from 
any  PC  —  even  from  a  home  com¬ 
puter  via  the  court’s  VPN.  All  cam¬ 
eras  are  password-protected,  and 
traffic  runs  on  a  separated  virtual 
LAN,  to  protect  the  surveillance 
system  from  unauthorized  access, 
Guo  says. 

Even  with  camera  feed  accessi¬ 
ble  at  the  desktop, “you  can’t  have 


staff  watching  every  camera  in 
every  building  all  the  time,”  Guo 
says.  So  the  court  system  records 
everything  digitally  —  2.5T  bytes 
of  video  streams  per  month  —  on 
six  video  archive  servers  from 
Axis,  in  the  court  system’s 
Manhattan  data  center. 

“If  there  is  an  incident,  we  have 
months  and  months  of  video,” 
which  law  enforcement  can  view 
from  anywhere,  with  the  proper 
software  and  access  rights,  Guo 
adds. 

To  save  on  storage,  the  system 
does  not  record  dead  space; 
video  that  does  not  break  the 
threshold  for  pixel  movement 
detection  is  not  stored. 

Closed-circuit  video  systems 
have  been  used  across  the  state  in 
the  past,  but  these  analog  systems 
were  functionally  limited  and 
expensive,  Guo  says.  They 
required  an  outside  contractor, 
who  installed  dedicated  video 
cabling  and  monitoring  systems, 
and  tape  storage  was  costly  and 
physically  inconvenient. 

The  IP  surveillance  traffic  is  just 
another  drop  in  the  court  sys¬ 
tem’s  huge  bandwidth  bucket.“All 
systems  we  put  in  place  are 
based  on  IP”  Guo  says.  “But  you 
can’t  do  any  of  this  if  you  don’t 
have  the  bandwidth.” 


Between  2001  and  2003,  the 
court  system  upgraded  its  WAN 
from  OC-3  (155M  bit/sec)  SONET 
rings  upstate,  and  a  Gigabit 
Ethernet  MAN  in  Manhattan.  Now 
the  system  runs  OC-48  (2.5G 
bit/sec)  in  the  northern  part  of  the 
state  and  connects  facilities  in  the 
five  boroughs  with  10G  bit/sec 
Dense  Wave  Division  Multiplexing 
gear. The  court  system  uses  Nortel 
SONET  optical  routers  and  Cisco 
DWDM  switches  in  its  WAN.  More 
than  200  Nortel  Gigabit  Ethernet 
switches  make  up  the  backbone, 
distribution  and  access  layers 
across  the  LAN. 

A  busy  backbone 

Riding  on  the  same  pipes  as 
the  IP  surveillance  traffic  is  the 
court  system’s  wide-reaching  IP 
telephony  and  videoconferenc¬ 
ing  network.  Eight  Nortel 
Communication  Server  IP  PBXs 
operate  statewide,  supporting 
5,000  Nortel  IP  phones,  installed 
last  year.  Guo  says  more  than 
10,000  IP  phones  (two  of  every 
three  handsets)  will  be  IP  by  year- 
end.  The  VoIP  system  replaces  a 
mix  of  aging  Nortel  PBXs  and 
Verizon  Centrex  lines  —  saving 
what  Guo  estimates  will  be  about 
$50  per  seat,  or  $750,000  per  year. 

In  addition  to  VoIP  the  court  sys¬ 


tem  widely  uses  IP  videoconfer¬ 
encing  as  a  way  for  lawyers, 
judges  and  defendants  to  meet 
without  traveling  all  over  the  city 

In  the  Bronx  Superior 
Courthouse,  for  example,  six 
soundproof  booths  house  IP 
videoconferencing  stations,  with  a 
Sony  IP  camera  and  microphone 
and  room  for  three  people  —  usu¬ 
ally  a  lawyer,  a  client  and  a  friend 
or  relative. 

At  Rikers  Island  prison  10  miles 
away  (or  three  hours  away, 
depending  on  traffic)  similar 
booths  are  set  up  in  six  specially 
outfitted  cells,  with  IP  cameras 
behind  bulletproof  glass.  Inmates 
can  talk  to  their  lawyers  in  private, 
or  appear  at  court  proceedings  in 
front  of  a  judge  inside  one  of  the 
hundreds  of  IP-video-enabled 
courtrooms  statewide.  The  law 
says  defendants  must  appear  in 
person  before  a  judge  only  for 
arraignments. 

“Lawyers  do  not  have  to  go  all 
the  way  to  Rikers  to  see  clients,” 
says  Frank  Cupak,  systems  coordi¬ 
nator  for  New  York’s  12th  Judicial 
District  in  the  Bronx.  “Attorneys 
can  see  more  clients  in  a  day  with 
the  video  system.  They  also  no 
longer  have  an  excuse  to  delay  a 
hearing  because  they  couldn’t 
make  it  out  to  Rikers.” 

The  court  does  8,000  confer¬ 
ences  per  year  from  the  prison 
island,  which  houses  eight  jails 
used  by  the  city  This  conferenc¬ 
ing  cut  the  number  of  prisoner 
transports  by  a  third  last  year. 

“In  the  past  a  probation  officer 
had  to  take  a  full  day  to  move  pris¬ 
oners  from  Rikers,”  Cupak  says. 
“Now  that’s  done  in  half  a  day 

This  saves  money  since  fewer 
transports  means  less  expense, 
though  the  court  system  has  not 
measured  the  savings.  It’s  also  a 
safety  improvement. 

“There  is  always  risk  when  mov¬ 
ing  a  prisoner’’  Cupak  says.  “This 
reduces  risk:  Guards  never  have 
to  even  touch  a  prisoner  to  get 
them  to  a  hearing  —  there’s  no 
one  to  hit.”  ■ 
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Mooching 

continued  from  page  1 

is  indicative  of  the  variety  of  pas¬ 
sionately  held  opinions  and 
legal  murk  on  this  question, 
which  gained  renewed  attention 
last  month. 

That  was  when  news  reports 
surfaced  about  the  April  arrest 
of  Benjamin  Smith,  who  St. 
Petersburg,  Fla.,  police  allege 
“wilfully,  knowingly  and  without 
authorization”  accessed  a  home 


Whose  Wi-Fi  is  it? 

Percentage  of  consumers  who 
say  they  have  accessed  the  Internet 
by  connecting  to  a  neighbor’s 
wireless  LAN. 


SOURCE:  JUPITER  RESEARCH  SURVEY 
OF  264  PEOPLE 


Wi-Fi  network  from  a  parked  car 
in  front  of  someone’s  house. 

Depending  on  your  viewpoint, 
Smith  was  stealing,  mooching, 
hijacking, sharing,  borrowing  or 
just  using  the  homeowner’s 
Internet  connection.  As  we 
learned  in  interviews  with  Wi-Fi 
users  and  others,  thinking  on  this 
subject  is  continually  changing. 

New  worries  or  no  worries 

Homes  and  small  businesses 


have  been  the  fastest-growing 
market  for  wireless  LAN  (WLAN) 
equipment  over  the  past  couple 
of  years,  and  users  are  now  start¬ 
ing  to  know  enough  about  wire¬ 
less  either  to  worry  about  having 
an  open  access  point  or  to  not 
worry 

A  Jupiter  Research  survey  last 
year  of  consumers  with  wireless 
home  networks  found  the  top 
concerns  (see  graphic,  right) 
were  identity  theft,  eavesdropping 
and  virus  attacks.Yet  some  users 
actually  encourage  shared  use, 
even  though  nearly  all  service 
providers  forbid  it  in  their  broad¬ 
band  contracts.  One  example  is 
Newbury  Open  Net,  which  is  a 
free,  open  WLAN  spanning  the 
length  of  Boston’s  tony  Newbury 
Street. 

Using  an  unprotected  wireless 
link  is  very  easy  and  seems  to 
cause  no  harm,  some  say  Eliza¬ 
beth  Weinberg,  who  now  works 
in  a  New  York  custom  photo  lab, 
was  living  off-campus  in  Boston 
during  her  senior  year  in  col¬ 
lege.  She  and  two  roommates 
didn’t  want  to  pay  an  extra  $20 
each  per  month  for  broadband 
service.Then  came  the  siren 
song  of  a  solid  Wi-Fi  signal  from 
somewhere  in  the  apartment 
building. 

“My  roommate  had  an  [Apple] 
iBook  and  it  was  picking  up  a 
high  signal,” she  says.“We  said, 
‘We’ll  just  go  with  it.’” 

Neither  she  nor  her  two  room¬ 
mates  had  any  qualms.“I  never 
encountered  anyone  with  moral 
objections  to  this,”Weinberg  says. 
“The  Internet  is  so  ingrained  in 
my  generation  it’s  like  ‘oh  yeah, 
grab  it.’ We ’re  not  harming  any- 
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Wi-Fi  worries 

Top  security  concerns  for  consumers  with  home  wireless 
networks  (more  than  one  response  allowed). 


one. 

For  Hilary  Meserve,  a  teacher 
in  Philadelphia,  and  her  two 
roommates  it  was,  in  a  sense, 
Comcast’s  fault.The  trio  shared 
the  cost  and  ordered  broad¬ 
band  service  through  Comcast. 
It  never  worked. “We’d  call 
them,”  she  says.“They  said  we 
were  programming  the  wrong 
number,  or  doing  something 
else.  There  was  always  some¬ 
thing  that  was  wrong.  Finally  we 
said  ‘forget  it.’” 

All  three  roommates  had  wire¬ 
less  cards  and  found  a  “pretty 
good  signal”  from  a  nearby 
WLAN. “AH  three  of  us  used  it  for 
the  entire  year)’  Meserve  says. 
When  she  relocated  to  another 
part  of  the  city,  she  did  the  same 
thing. 


c  Identity  theft  or  theft  of  personal 
information 

■  Eavesdropping 

fl  Network  disruptions  due  to  vims 


Neighbors  using  Internet  access 
for  free 

i i  Use  for  illicit  purposes  (illegal  file 
sharing,  spamming,  etc.) 

M  None 


SOURCE:  JUPITER  RESEARCH  SURVEY  OF  264  PEOPLE 


The  ethical  presumption 

Using  someone’s  open  wireless 
network  should  not  be  a  crime, 
according  to  Jennifer  Granick, 
executive  director  for  the  center 
for  Internet  and  Society  at  Stan¬ 
ford  Law  School. 

“First,  as  a  user,  you  don’t  know 
if  you’re  invited  to  use  that 
[open]  wireless  network  or  not,” 
Granick  says.“Such  use  might  be 
allowed,  even  encouraged.” 

“It’s  not  easy  to  say  that  the  ethi¬ 
cal  presumption  should  be 
against  access”  of  an  unprotected 
wireless  network,  says  Lee  Tien, 
senior  staff  attorney  with  the 
Electronic  Frontier  Foundation. 
The  group’s  San  Francisco  head¬ 
quarters  has  a  WLAN  and  lets 
anyone  use  it.“Right  now,  we  [as 
a  society]  don’t  have  a  way  of 
saying  ‘Even  though  my  wireless 
signal  is  open,  I’m  saying  you 
can’t  use  it.’” 

Nearly  all  broadband  providers 
forbid  subscribers  from  voluntar¬ 
ily  sharing  a  DSL  or  cable 
modem  connection  outside  the 
home.“It’s  obviously  not  good 
for  Verizon  to  have  its  services 
given  away  for  free,  just  as  a 
cable  company  wouldn’t  want 
someone  funneling  their  cable 
connection  next  door,”  says  a 
Verizon  spokeswoman.Verizon’s 
DSL  Terms  of  Service  and  its 
Acceptable  Use  Fblicy  prohibit 
such  sharing.  Speakeasy  is  one 
of  the  providers  that  explicitly 
allows  the  practice. 

A  second  reason  to  tread  care¬ 
fully  in  outlawing  such  use  is  that 
the  laws  against  computer  and 
network  access,  as  applied  to 
wireless,  often  are  too  vague  and 
leave  too  much  discretion  to 


police  and  prosecutors,  accord¬ 
ing  to  Granick.“We  don’t  want  to 
create  a  broad  class  of  people 
who  are  ‘criminals’  and  then  let 
prosecutors  pick  and  choose 
which  ones  they  want  to  go  after)’ 
she  says. 

No  moral  agreement 

Finally  it’s  still  an  open  question 
about  the  morality  of  such 
access.“There’s  not  a  moral 
agreement  in  society  that  this  is 
wrong,”  Granick  says.“It’s  more 
like  a  regulatory  decision, such  as 
[requiring]  driving  a  car  with  a 
driver’s  license.  We  treat  those 
kinds  of  offenses  differently”  from 
robbery  or  assault. 

But  shouldn’t  the  law  protect 
the  many  users  who  are  ignorant 
of  technical  details,  and  of  the 
risks  they  face  with  an  unprotect¬ 
ed  wireless  access  point? 

“You  can’t  really  protect  people 
that  wa>)’  says  Paul  Holman,  a 
principal  in  The  Shmoo  Group,  a 
Seattle  group  of  security  profes¬ 
sionals  who  collaborate  in  their 
spare  time  on  educating  users 
about  computer  and  network 
security.“If  I  access  your  wireless 
net  and  hack  into  your  home 
computer  and  read  files,  we 
already  have  laws  that  make  all 
of  that  wrong  and  illegal  and 
bad.  And  I  agree  with  all  that.  But 
we  don’t  need  government  to 
regulate  Wi-Fi.” 

Holman  says  society  can  apply 
those  current  laws,  educate  con¬ 
sumers,  and  go  after  WLAN  ven¬ 
dors  that  continue  to  ship  prod¬ 
ucts  with  security  settings 
switched  off.“They’ve  consistently 
chosen  not  to  do  this,”  he  says. 
“We  should  make  them  turn  this 


on  or  at  least  have  a  better  [secu¬ 
rity]  setup  feature.” 

The  Florida  arrest  of  Smith 
could  have  a  highly  educative 
effect,  says  Patrick  McCormick, 
former  CIO  for  the  city  of  Somer¬ 
ville,  Mass.,  and  a  co-founder  of 
Boston  Wireless  Advocacy  Group, 
which  promotes  and  helps  create 
open  public  wireless  networks. 
People  are  becoming  smarter 
about  networking,  he  says,  and 
the  public  discussion  will  make 
people  aware  of  the  risks  and 
remedies  they  have  with  wireless 
networks. 

It’s  this  kind  of  awareness  that 
will  “inform  people  about  how 
these  new  technologies  should 
be  used,”  McCormick  says. 

And  that’s  just  what  happened 
with  Wi-Fi  users  Weinberg  and 
Meserve.  Weinberg  now  lives  in 
Brooklyn,  N.Y,  and  has  a  broad¬ 
band  service  and  a  wireless 
router,  which  she  has  locked  up 
with  a  password. Why?  “Because  I 
know  there  are  people  out  there 
like  myself,  who  would  use  it, 
given  the  opportunity’ she  says. 
‘And  I  feared  it  would  make  my 
connection  slower” 

Meserve’s  practice  changed 
when  she  found  that  her 
Amazon.com  account  had  been 
hacked.“I  was  looking  at  this 
[issue]  then  as, ‘If  you’re  dumb 
enough  to  leave  it  open,  then  the 
heck  with  it)”  she  says.“But  since 
my  experience  of  being  hacked, 
I’ve  changed  my  mind.  And  also 
because  this  [issue]  is  a  bigger 
deal  now.  Like  downloading 
songs:  Everyone  was  doing  it, 
until  people  started  getting 
caught.  So  1  wouldn’t  do  it 
again.”! 
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Face-Off:  How  tough  would  it  be  to  crash  the  ‘Net ...  and  why  hasn’t  anyone  done  it? 


ast  week’s  column  on 
Cisco’s  fracas  with 
one  Michael  Lynn 
and  its  implications  for 
shutting  down  the  ‘Net  gen¬ 
erated  interesting  feed- 
back.Thanks  to  all  who  wrote  in. 

Reader  Dane  Dawson  disapproved:“Cisco  was  able  to 
work  with  the  other  people  and  stay  the  issue,  but  that 
didn’t  stop  a  media-driven  periodical  such  as  yours  . . . 
from  publishing  whatever  you  want.” 

I  should  point  out  that  I  am  not  an  employee  of 
Network  World  and  my  editor  doesn’t  control  what  I 
write  (except  to  correct  the  grammar  and  take  out  the 
dirty  words). 

So,  why  do  1  think  the  Cisco  fracas  matters  so  much? 

My  concern  was  that  Cisco  chose  security  through 
obscurity  to  paper  over  the  cracks  in  the  Internet  infra¬ 
structure,  which  is  effectively  a  Cisco  monoculture. 

Dawson  continued, “So  instead  of  working  quietly  to 
hush  this,  you  publish  it  so  that  every  anti-Cisco,  anti- 
American,  terrorist  [in  the  name  of  journalism],  hacker 
and  anyone  else  who  was  close  to  destroying  a  compa¬ 
ny,  has  access  and  the  tools  to  exploit  routers  .... 
Congratulations,  you  have  become  a  terrorist  yourself.” 


BACKSPIN  Mark  Gibbs 

Many  could  . . .  but  they  lack  the  motivation 

L 


Even  though  I  didn’t  write  about  any  details  of  the 
exploit  or  even  point  out  where  you  could  find  out  how 
it  worked,  I  am  apparently  a  terrorist  for  having  the 
temerity  to  discuss  a  public  issue!  What  this  complaint 
demonstrates  is  a  profound  misunderstanding  of  how 
the  Internet  is  vulnerable  and  who  is  the  threat. 

As  you  will  see  from  the  ‘NetBuzz  column  due  south  of 
here,  Paul  McNamara  and  I  disagree  on  how  vulnerable 
the  ‘Net  really  is.  He  contends  that  if  it  was  that  vulnera¬ 
ble,  someone  would  have  had  a  whack  at  it  by  now.  As 
we  can  see  no  signs  of  such  an  attempt,  we  should  con¬ 
clude  it  isn’t  vulnerable. 

<digression>This  is  essentially  the  anti-UFO  “alien 
wrench”  argument:  If  aliens  are  visiting  us  all  the  time 
then  why  haven’t  we  found  an  alien  wrench  lying 
around?  I  don’t  believe  in  UFOs  but  let’s  see:  If  you’re 
several  million  miles  from  the  garage  wouldn’t  you  plan 
to  keep  track  of  your  wrench?  Wouldn’t  completely 
cleaning  up  after  you’ve  scared  the  bejesus  out  of  some 
hick  farmer  and  disemboweled  one  of  his  cattle  be  logi- 
cal?</digression> 

Anyway,  I  contend  that  the  Internet  is  vulnerable  and  it 
hasn’t  been  taken  down  because  the  bad  guys  with  the 
wherewithal  don’t  have  the  motivation  to  do  so.  Consider 
the  terrorists. There  are  lots  of  them  all  over  the  world 


and  many  of  them  have  the  wherewithal,  but  they  need 
the  ‘Net. 

For  example,  it  is  well-known  that  A1  Qaeda  uses  the 
Internet  extensively  for  communication  and  publishing 
propaganda.Take  out  the  ‘Net  and  they’d  have  to  go  back 
to  traditional  communications.  It  would  also  screw  up 
their  banking  arrangements. 

Is  your  average  hacker  a  risk  to  the  Internet?  It  would 
only  be  by  accident.  A  really  knowledgeable  hacker 
probably  wouldn’t  attack  the  ‘Net  because  if  you  are  that 
savvy  you  can  foresee  the  consequences  and  they 
would  be  serious  to  say  the  least. 

The  wild  card  is  someone  as  crazy  as  the  Unabomber. 
Luckily  he  didn’t  have  the  wherewithal  when  it  came  to 
the  ‘Net  but  he’s  not  the  only  looney  out  there. 

The  most  likely  source  of  doom  as  far  as  the  ‘Net  is 
concerned  will  be  a  skilled  teenage  hacker  with  a  total 
lack  of  perspective  and  empathy,  as  shown  by  the  boys 
who  committed  the  Columbine  massacre. There’s  your 
alien  wrench.  Just  because  you  haven’t  seen  it  yet  does¬ 
n’t  mean  the  aliens  don’t  exist.  Lack  of  evidence  doesn’t 
disprove  the  theory  or  remove  the  possibility 

Found  a  wrench?  Tell  backspin@gibbs.com.  And  check 
Gearblog  www.  networkworld.  com/ weblogs /gearblog. 


ETBUZZ  News,  insights,  opinions  and  oddities 

Very  tough . . .  which  is  why  no  one’s  done  it 


Paul  McNamara 


You’ll  hear  the  proposition  phrased  any  number  of 
ways:  Lots  of  people  —  some  bad  actors  —  possess  the 
know-how  and  wherewithal  to  crash  the  Internet,  and  it 
is  only  through  their  collective  goodwill,  overriding  self-interests,  and/or  dislike  of 
prison  food  that  the  ‘Net  has  yet  to  meet  that  unthinkable  fate. 

Last  week,  my  colleague  to  the  north,  Mark  Gibbs,  quoted  security  expert  and  author 
Stephen  Cobb  thusly:  “There  are,  and  always  have  been,  people  who  know  how  to 
crash  the  Internet  but  have  so  far  chosen  not  to  do  so." 

This  week,  Gibbs  is  defending  the  sentiment  expressed  by  Cobb. 

Me?  I'm  going  to  defend  logic  and  common  sense,  which  to  my  mind  are  on  the  side 
of  a  different  proposition,  namely  that  the  ability  to  crash  the  Internet  —  as  in  kaput  for 
an  extended  period  —  remains  theoretical,  largely  because  it  is  exceedingly  more  diffi¬ 
cult  than  the  Chicken  Littles  would  have  us  fear.  Moreover,  the  fact  that  it  hasn’t  hap¬ 
pened  speaks  not  to  a  dearth  of  qualified  bad  guys  with  the  requisite  motivation  —  but 
simply  a  dearth  of  qualified  bad  guys. 

The  best  news  for  me  is  that  the  facts  —  to  the  extent  that  there  are  any  in  this 
angels-on-the-head-of-a-pin  debate  —  align  on  my  side.  (The  unsettling  news  for  me 
is  that  there  will  be  three  days  between  when  I  stop  writing  and  you  start  reading,  leav¬ 
ing  far  too  much  time  for  me  to  be  proven  wrong  in  a  most  embarrassing  way.) 

Let’s  start  with  an  unassailable  fact:  Not  a  single  bad  guy  has  managed  to  slip  a  bul¬ 
let  behind  the  Internet’s  ear  in  the  decade  or  so  that  the  commercialized  ‘Net  has  pre¬ 
sented  a  tempting  target  for  every  hacker  and  terrorist  on  the  planet.  And  it’s  not  that 
the  idea  hasn't  crossed  anyone's  mind.  Witness  this  story  (www.networkworld.com, 
DocFinder:  8345)  from  Wired  Magazine  that  carries  the  headline:  "50  Ways  to  Crash 
the  'Net.” 

Note  the  publication  date:  Aug.  19, 1997. 

Either  the  bad  guys  didn't  read  Wired  back  then  or  the  50  ways  left  a  bit  to  be  desired 


in  terms  of  accomplishing  what  the  headline  promises. 

Let’s  frame  the  matter  more  positively,  though:  I  say  that  those  toiling  to  stop  the  bad 
guys  from  killing  the  Internet  have  done  a  butt-kicking  good  job.  Give  them  a  round  of 
applause  instead  of  chalking  it  up  to  blind  luck  and  the  whims  of  criminals. 

But  my  biggest  beef  with  the  wolf  criers  is  not  over  the  idea  that  someone  might 
make  the  ‘Net  take  a  dirt  nap.There’s  no  way  to  argue  that  it’s  literally  impossible,  after 
all,  and  lots  of  smart  people  say  that  they  or  other  smart  people  can  do  it.  However, 
just  as  cloning  a  human  baby  or  landing  a  man  on  Mars  is  possible,  they  are  only  possi¬ 
bilities  until  someone  actually  succeeds.  And  I'm  betting  we’ll  see  a  cloned  baby 
before  a  croaked  Internet. 

No,  my  biggest  beef  is  with  the  notion  that  a  universal  lack  of  motivation  has  some¬ 
how  draped  a  force  field  over  what  would  otherwise  be  a  hopelessly  doomed  Internet. 
This  thinking  holds  that  the  bad  guys  who  might  bring  down  the  ‘Net  are  just  like  the 
rest  of  us:  hopelessly  hooked  on  e-mail  and  e-commerce  —  in  particular,  electronic 
banking  —  and  as  such  they  simply  could  not  abide  the  thought  of  depriving  them¬ 
selves  of  those  channels. 

All  of  them?This  theory  ascribes  a  level  of  reason  and  responsibility  to  a  crowd  that 
otherwise  displays  precious  little  of  either. 

Which  brings  us  back  to  the  numbers.  If  you  tell  me  that  only  a  handful  of  people 
could  kill  the  Internet,  I  might  buy  that  all  five  have  simply  decided  not  to  do  it. 

But  I  heard  an  IT  executive  from  a  major  company  say  that  five  guys  in  his  shop  alone 
could  accomplish  the  feat  before  lunchtime.  If  he’s  right,  that  means  thousands  —  or 
tens  of  thousands  —  can  do  it  worldwide. 

And  if  thousands  can  do  it,  those  of  you  reading  this  online  right  now  . . .  wouldn’t  be. 

Still  there?  ...  I  thought  so. 

As  long  as  the  ‘Net  survives,  the  address  will  be  buzz@nww.com. 


Perhaps  you’ve  heard:  Oracle  desupported  Oracle 
Database  8i  iast  year.  Meaning  potential  headaches, 
higher  cost  or  a  complete  migration  to  current  versions 
of  Oracle.  Fortunately,  IBM  offers  ongoing,  around-the- 
clock  service  and  support  for  DB2. 

But  that’s  not  all.  A  Solitaire  study  has  found  that,  on 
average,  Oracle  Database  requires  25%  more  time  to 
manage  than  DB2.'  That’s  big. 

And  an  ITG  study  showed  overall  costs  for  Oracle  Database 
up  to  four  times  higher  than  DB2?  The  Transaction  Process¬ 
ing  Performance  Council  results  show  that  DB2  and 
eServer™  p5-595  are  more  than  twice  as  scalable  as  Oracle 
Real  Application  Clusters,  making  them  the  overwhelming 
performance  and  scalability  leader  for  TPC-C.3  That’s  big,  too. 


No  wonder  DB2  is  regarded  as  the  leading  database  built 
on  and  optimized  for  Linux?  UNIX®  and  Windows!  Like 
other  IBM  database  engine  products  such  as  Informix4, 
and  Cioudscape’,”  DB2  is  part  of  an  innovative  family  of 
information  management  middleware  that  integrates,  and 
can  actually  add  insight  to  your  data. 

It’s  also  built  to  take  full  advantage  of  your  existing 
heterogeneous  and  open  environments,  and  is  built  to 
enable  true  grid  computing. 

Why  not  move  up  to  middleware  that  makes  sense?  Now 
you  can  get  IBM  DB2  Universal  Database  or  Informix 
by  taking  advantage  of  our  extremely  compelling  trade- 
up  program.  Visit  ibm.com/db2/swap  today  to  find  out  if 
you  qualify. 


DEMAND  BUSINESS 
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DON’T  LET 
SPYWARE 
SABOTAGE  YOUR 
ENTERPRISE. 


The  next  threat  is  no  threat  with  Trend  Micro. 

Expose  and  eradicate  spyware  with  Trend  Micro's  Enterprise-class,  multi-level, 
anti-spyware  solutions.  They're  the  only  solutions  that  block  and  clean  at  the  gateway — 
the  most  effective  point  of  control.  Trend  Micro.  #1  global  leader  at  the  gateway  and 
industry  pioneer.  Whether  it's  a  virus,  worm,  spyware,  or  spam,  we've  got  you  covered. 


For  a  FREE  evaluation  and  IDC  whitepaper, 
go  to  www.trendmicro.com/spyware 
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